23542300x800000000000000018490122Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.774{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490121Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.487{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C3A0471CA558297CCE498946C82B1B,SHA256=328A57EAC185242490FB24FE3F015C1C4C03A808128D9209E375871BFCE4C4CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253014Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:19.431{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E933B07D571686E460548AE322391D,SHA256=0430E409332B7C732E2432DEAE5FE4396006F797E5131CBD6E2FC12093F427C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253013Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:16.506{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53560-false10.0.1.12-8000- 23542300x80000000000000001253016Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:20.463{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85C7C5C76D4010F5A0A3AA593D30584,SHA256=E12C1408F71788AB00E3AC3006474BB828D4363985BD1B5FD7A035FFE2B5AF66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018490124Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:17.476{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60520-false10.0.1.12-8000- 23542300x800000000000000018490123Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:20.516{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECCF92682854670B9425DABF7C29D350,SHA256=894E9DB6C4442F451A23A3AB792D1EF328534582D86FAF2A63FC06ABC518F812,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253015Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:17.367{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-35908-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x800000000000000018490138Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:21.807{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490137Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:21.779{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018490136Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:21.775{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\473649AEE0E27991BA4DD471BA52AEF3B91C8C5CMD5=8D718F7079BF8C51B7D29FBE4562101A,SHA256=29515868757B94B501431852BA9B1B3A2728BCE862D2303D80D1DE79EF6339B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490135Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:18.554{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57431- 354300x800000000000000018490134Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:18.554{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-970.attackrange.local54595-false142.250.185.162fra16s51-in-f2.1e100.net443https 354300x800000000000000018490133Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:18.553{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52068- 23542300x800000000000000018490132Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:21.525{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFD8915FFD72085F167AB6763F21FD4,SHA256=D49204BE91DD2DA8703B8FB195E0B4365AAD17D16393590959FFDA5F60C4F0B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253017Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:21.463{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9741F6C51E0158E8BC21B8C397A49A56,SHA256=2F238FCC4CBA08B476E50CD36A1761682CBA2C5BD5E4E3A12F664E664EC80078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490131Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:21.502{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\26D6BC4F5A2B6C4D015172C34F94F298F3373023MD5=23357A782CB96872FDE666C932507734,SHA256=C4624DB6BFC2E439E66DBAB1C0027F8D63506347BA8A793578319E9A25AEF336,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490130Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:18.548{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54594- 354300x800000000000000018490129Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:18.538{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57157- 354300x800000000000000018490128Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:18.538{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52139- 354300x800000000000000018490127Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:18.517{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55950- 354300x800000000000000018490126Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:18.517{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49835- 354300x800000000000000018490125Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:18.514{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50373- 354300x800000000000000018490153Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.913{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-970.attackrange.local55690-false142.250.186.68fra24s05-in-f4.1e100.net443https 354300x800000000000000018490152Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.912{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50858- 354300x800000000000000018490151Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.912{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55183- 354300x800000000000000018490150Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.912{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55689- 354300x800000000000000018490149Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.912{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57877- 354300x800000000000000018490148Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.912{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51232- 354300x800000000000000018490147Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.910{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local64952- 354300x800000000000000018490146Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.910{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local64949- 354300x800000000000000018490145Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.815{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-970.attackrange.local59556-false216.58.212.130ams15s21-in-f130.1e100.net443https 354300x800000000000000018490144Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.813{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59555- 354300x800000000000000018490143Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.812{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49859- 354300x800000000000000018490142Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.802{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-970.attackrange.local57432-false172.217.16.129fra15s46-in-f1.1e100.net443https 23542300x800000000000000018490141Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:22.532{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF70DFE732516BA7A5E80E6303F03840,SHA256=161BFB8932B9B2DAB5F1A55D45F71080B985B0E5C498E9759679A43F29FD89CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253018Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:22.494{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C851D9764B9EA7E52207043F9162DF,SHA256=0083FF54EC01FEDD78A4219DAE22DE90E057D01BC3FF9B91E0CBB2E610B9920B,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000018490140Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.920{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.google.com0142.250.186.68;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490139Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:19.920{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.google.com0::ffff:142.250.186.68;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000018490157Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:20.142{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53710- 354300x800000000000000018490156Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:20.142{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57451- 354300x800000000000000018490155Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:20.139{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49252- 23542300x800000000000000018490154Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:23.541{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3089A7EF48C324263052C6F0657E969B,SHA256=7E3010E939448042E899F1E5D00B4A671FBBBEFB7F981996EF1E5DC5BF928DA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253019Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:23.509{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF06F75BA147E0CE848CE0EF456CFA4,SHA256=C4067F008E1EBC306E69C42EB9E363EFC815A0A1205D6A72A3086AF506A17BB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253022Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:22.334{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53561-false10.0.1.12-8000- 354300x80000000000000001253021Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:21.217{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-59434-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253020Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:24.525{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9540E62196BB1B9CAEC01CA497D8C170,SHA256=EEF9274948B5AE0CDF9BDD70A7829225ACF5E95C5BB353F116FACDC387FB26E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490158Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:24.544{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1829509F8DE381BBE0E5BE9E5F3CC5F6,SHA256=E4CDD255B08C9B39D9DA65F421389882E722A2C168C07DC95FBC40810704671A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490163Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:25.548{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757B6C0531BFEEFB374EC55DB34BE509,SHA256=67C7454F78A2E80BD106FAF823385B8AA4AB62D3BB218B6332DDBAEA2529FCE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253024Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:22.620{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-46552-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253023Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:25.541{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FA9E75FD62B8FA8DECA0795D829064,SHA256=B69C45C610EB936CFFD7F1B7242219EC0D13C0940A563F036451CF31AE382D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490162Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:25.311{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\doomed\1249MD5=CE7D82F075F75A6F1B157285D643A7C1,SHA256=8D2E23AC861A035169DBE2EE2A44B0FE0EAEDAD3A6D617001E77BFB1358ED6A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490161Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:25.310{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\doomed\15097MD5=84E43839F6261E7283253BA9715DF228,SHA256=AAC2D814CB6BC40683D707EDA7CF81AAE9F8DB67B0F3249F47B4D70E1BDE15B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490160Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:25.309{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\doomed\7095MD5=C60A9CBCA152F30EA89BA9DDDE9F3C6B,SHA256=F5A1D15AF262A361285D56974BAFA8928911E1676DB444A419832C8EE67DE511,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490159Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:25.305{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\doomed\9800MD5=A5BEB7140C9A6916FCC494A7F80A2B1E,SHA256=A009015FD3026AEE8F889C82C6325C5C108836EABA0CBC9E5B414A4770E95F82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490166Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:23.641{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.67.65-63313-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018490165Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:23.377{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60521-false10.0.1.12-8000- 23542300x800000000000000018490164Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.551{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7185FAFEA23C8AAD07F0D35610A284,SHA256=848325BDED2DD2D7BFA32B2CF078A267B0B34A29E2411F8253AB64A212C26AD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253025Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:26.572{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE61D6235C5FDA525EBEE23090F599A1,SHA256=2ADA4A5CC6D27886F94B04451AD5054E83466C7D87A0E209F999ABE674BD5DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490169Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.910{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\6D80281AE4F7084F607235DDAB3B52D2C126D147MD5=814F8CAC8280C3C79C089E3B0EA9646B,SHA256=7803B1DB70467ED9535CB9D324BBCD7E666E4EF084A45E4E85B371A185B616E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490168Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.860{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 23542300x800000000000000018490167Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.572{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8813097CD1112071461F973C6AFD0927,SHA256=D9644D4E1394E803EE8012D22B2888913FDA665491ED391383C030F44DEC6288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253026Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:27.588{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2D8D100A28F9C62B6D96962139FE81,SHA256=14E238EE743CCF0636C7428CD2B777F174D08B09FA33EB75B5A83C007E28145A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253027Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:28.619{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF726DB546A91268E82AD9ABAA9E493,SHA256=E1F9D937CFC6DC5440C485EB97AB74830BE7EAE2EA8186B893F7091A7218D4C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018490243Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.209{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60524-false138.128.181.29138-128-181-29.static.hostdime.com80http 354300x800000000000000018490242Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.150{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-970.attackrange.local50049-false142.250.181.232fra16s56-in-f8.1e100.net443https 354300x800000000000000018490241Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.123{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60527-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 354300x800000000000000018490240Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.120{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50048- 354300x800000000000000018490239Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.120{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57709- 354300x800000000000000018490238Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.117{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49228- 354300x800000000000000018490237Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.111{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60526-false142.250.181.232fra16s56-in-f8.1e100.net443https 354300x800000000000000018490236Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.102{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53003- 354300x800000000000000018490235Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.101{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58172- 354300x800000000000000018490234Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.087{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60525-false142.250.181.232fra16s56-in-f8.1e100.net80http 354300x800000000000000018490233Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.085{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51846- 354300x800000000000000018490232Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.084{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57844- 354300x800000000000000018490231Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.083{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51438- 354300x800000000000000018490230Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.082{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60523-false18.66.139.31-443https 354300x800000000000000018490229Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.077{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59423- 354300x800000000000000018490228Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:25.807{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60522-false138.128.181.29138-128-181-29.static.hostdime.com80http 354300x800000000000000018490227Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:25.674{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49461- 354300x800000000000000018490226Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:25.673{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55445- 354300x800000000000000018490225Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:25.652{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56673- 354300x800000000000000018490224Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:24.994{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59613- 23542300x800000000000000018490223Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.964{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54BD63C08C3F4B150D087F4828AA4E6,SHA256=98E7140720E294A31C26709BF047E68552F70B5667241A33DB57177E975EEE90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490222Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.817{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\A1E884376AE20E214514ED49EF5724A6DE62E7A3MD5=8CFC47C639B1E8A6081FBFE7F7BC1E78,SHA256=D7EA6B8C7A517F463A4BEE494D9BC534B9008219EAF55051B046189635D3138E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490221Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.816{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\2605CE6153C04F1C5F69E051363D941F5F69738CMD5=C597AA292D39B8AB2448FF67B0D4927F,SHA256=10675A29DC266374E8F8728139C133748F19692CA1A1A2A5E54896722D6C79E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490220Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.815{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\A36CFCE9E35A0D55EF3F388E9CBCB3347C71ABAAMD5=C6620C7AD9A63ECF89F2606E3018DE47,SHA256=09A4873BF03F502169C594FA94BC0BE3D3F21141B3387DE3D4EE01735C36552D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000018490219Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:25.690{CBEA6AB7-55E4-619B-9101-000000000F02}5988blog.nirsoft.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490218Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:25.682{CBEA6AB7-55E4-619B-9101-000000000F02}5988blog.nirsoft.net0138.128.181.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490217Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:25.681{CBEA6AB7-55E4-619B-9101-000000000F02}5988blog.nirsoft.net0::ffff:138.128.181.29;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000018490216Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.651{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\EB76027B226DEC89A68FA3E88237EE8DE1A86482MD5=06383B6D271560A558B38F243189268E,SHA256=47F90FBC28D234866CCCEA6DE46078A16497E8B7DBCD5680267DA413EAA99C99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490215Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.650{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\B225EC8091FE56CCE19DD58E5E22735F7C769C39MD5=C797C12F1508C058E023655D6C95F1A0,SHA256=EC6346AD1AA8C98632E3833C09B7BF28E8FCBF6763F6441CFAFD252A770817DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490214Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.650{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\9935D71C100ACD87FE094D98131561621DF94CBAMD5=3473B75E54A9CDDA764FFA00C1C0C43C,SHA256=8D2573363E1F9F55A01D6DEFF385FD5CF26F91BB871020A0AE5B6F980EF06FB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490213Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.649{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\8D22EF49990C592336C24544A6F89C43346E294FMD5=6C81118277A37BC1BD950DF5257237DF,SHA256=659B52414AA2E2BD8E39F3EE92ED39A4913B49408135CBDE49C15589692CD71A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490212Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.648{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\5C473D8A91FACC2A204A319797FA2D7B0AFEB834MD5=4A4E55402DD13F4B07C141645137AC6F,SHA256=E61CFF3A41DABCE8C016A210E8EF7CD575348945DE131EE5A560F2EE06C03936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490211Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.647{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\B4B00553DD7AF6F10A914EFD02AC7E642935DCC3MD5=F22B8B459F24FC17DCA312DF6792D17C,SHA256=D999BB686E4F04E3765565B8A6C613AB053A431ECA604EEB9770779CAEC90AF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490210Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.646{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\8BF911B376D7F1AE872C394C9D0D717BB7B56D80MD5=B90217FE85EBD30755425A49723E6C22,SHA256=1A9AED6E06454743EE38EE3498F1C7254828A5ACC79E9EBA290AAE3C3AE83BF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490209Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.643{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\743161C21CC29F3F83B4BC62F3959F79C08ABE72MD5=510DE6A179999C3FDF67B5FFDF20FB31,SHA256=3B0C4F246E0CFE9922B9E82DBBA441BDF77CFB3F968CD36CB86117311FEC86C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490208Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.642{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\C3D876B8D5B419C24715B25C5EF719CD7EFA49DAMD5=8BA2277A45E7A2A7820A1BD21143DF23,SHA256=FE7D89DF181E3509EBE90896C78E34AF43712AF4CA774C5420AA63DBC40074DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490207Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.632{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018490206Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.620{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\93980E5F09043C0596B578A00DE9F792D8D0DC7DMD5=10F3DC63275551E99D4542B84E07D777,SHA256=273EE9C72ACE3A7373A118F38FBBD8DD62445921B28826A1010B915F7F754C2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490205Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.595{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490204Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.595{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490203Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.578{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018490202Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.566{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\C3423BA4A275B804DDDBE9B3F0BA7B09901A9986MD5=27726818916622745956743B513D34B4,SHA256=74A87FC2A927495CDA570D5FEBCD5F360086A0A1353903E8B800343876CB9257,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490201Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.536{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490200Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.532{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490199Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.464{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490198Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.440{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018490197Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.431{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\1D3E53FE1AFB5B1BE079A2A56CA98656EFE74185MD5=E133B08EBD9B699E6D24617C516A96FC,SHA256=892349F375CE9096BB62B7A2ABBF287F1576BAFDF15984BEA43C563A0F84132A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490196Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.376{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490195Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.356{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490194Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.355{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490193Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.355{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490192Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.354{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490191Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.281{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490190Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.281{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490189Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.281{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490188Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.276{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490187Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.274{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490186Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.273{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490185Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.273{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490184Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.272{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490183Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.271{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490182Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.271{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490181Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.271{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490180Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.271{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490179Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.270{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490178Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.270{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490177Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.270{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490176Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.270{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490175Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.267{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490174Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.266{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490173Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.261{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490172Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.261{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490171Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.252{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5479|C:\Program Files\Mozilla Firefox\xul.dll+dc68ef|C:\Program Files\Mozilla Firefox\xul.dll+10eafb6|C:\Program Files\Mozilla Firefox\xul.dll+dc33ed|C:\Program Files\Mozilla Firefox\xul.dll+da81b0|C:\Program Files\Mozilla Firefox\xul.dll+1e87152|C:\Program Files\Mozilla Firefox\xul.dll+1971ffb|C:\Program Files\Mozilla Firefox\xul.dll+1974171|C:\Program Files\Mozilla Firefox\xul.dll+170b7e6|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1cb9179|UNKNOWN(0000023DE7B47DE4) 23542300x800000000000000018490170Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.173{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\095A2D8B7FFD47A2A83C6D5D1A4C0BA39148EBE9MD5=4AC087B207B1861F80C48619BD0BAF88,SHA256=C3A6CCF99725A19B1E582155072F9A8160632232BD471610F2E9B5FC996AE558,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253028Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:29.634{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E834EAF745C089DA0968221D0022457F,SHA256=CDDC2773FF08EF847983C7CEB33B80BCA07D033A93FCF9C296C5D832D15C2FBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018490303Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.234{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59092- 354300x800000000000000018490302Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.217{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49311- 354300x800000000000000018490301Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.216{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57925- 354300x800000000000000018490300Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.192{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57925- 354300x800000000000000018490299Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.185{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50462- 354300x800000000000000018490298Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.167{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49467- 354300x800000000000000018490297Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.159{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57231- 354300x800000000000000018490296Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.151{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59561- 354300x800000000000000018490295Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.145{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58239- 354300x800000000000000018490294Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.145{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52913- 354300x800000000000000018490293Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.133{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56152- 354300x800000000000000018490292Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.133{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59645- 354300x800000000000000018490291Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.130{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56945- 354300x800000000000000018490290Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.116{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52678- 354300x800000000000000018490289Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.115{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51263- 354300x800000000000000018490288Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.107{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56152- 354300x800000000000000018490287Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.107{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59645- 354300x800000000000000018490286Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.067{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60543-false142.250.181.234fra16s56-in-f10.1e100.net443https 354300x800000000000000018490285Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.065{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56628- 354300x800000000000000018490284Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.062{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50723- 354300x800000000000000018490283Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.047{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60542-false104.75.88.126a104-75-88-126.deploy.static.akamaitechnologies.com443https 354300x800000000000000018490282Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.036{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60541-false104.75.88.126a104-75-88-126.deploy.static.akamaitechnologies.com443https 354300x800000000000000018490281Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.031{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58752- 354300x800000000000000018490280Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.031{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53318- 354300x800000000000000018490279Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.012{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53140- 354300x800000000000000018490278Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.957{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60540-false95.100.210.129a95-100-210-129.deploy.static.akamaitechnologies.com443https 354300x800000000000000018490277Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.956{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58717- 354300x800000000000000018490276Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.950{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50964- 23542300x800000000000000018490275Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.983{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A3C8D397A81339635CF34DA3413901,SHA256=7A54EDB5BEF9810D3C7E38C31D7FD824A2A296EC5901E742140794EA775EFAAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490274Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.939{CBEA6AB7-4F82-619B-1100-000000000F02}436NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8B20EF5598DE936F7F1D2E1BC0274B59,SHA256=E59EF1D9ABF5610A188FB5A9F7A453E6FD46589A4B43A579D26951B16E6B6DED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000018490273Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.964{CBEA6AB7-55E4-619B-9101-000000000F02}5988e13136.g.akamaiedge.net095.100.210.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490272Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.773{CBEA6AB7-55E4-619B-9101-000000000F02}5988s.w.org9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490271Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.772{CBEA6AB7-55E4-619B-9101-000000000F02}5988s.w.org0192.0.77.48;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490270Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.771{CBEA6AB7-55E4-619B-9101-000000000F02}5988s.w.org0::ffff:192.0.77.48;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490269Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.698{CBEA6AB7-55E4-619B-9101-000000000F02}5988www-google-analytics.l.google.com02a00:1450:4001:830::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490268Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.696{CBEA6AB7-55E4-619B-9101-000000000F02}5988www-google-analytics.l.google.com0142.250.184.206;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000018490267Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.863{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-970.attackrange.local58460-false142.250.184.206fra24s11-in-f14.1e100.net443https 354300x800000000000000018490266Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.845{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60539-false104.75.88.126a104-75-88-126.deploy.static.akamaitechnologies.com443https 354300x800000000000000018490265Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.827{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60538-false142.250.184.206fra24s11-in-f14.1e100.net443https 354300x800000000000000018490264Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.826{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60537-false104.75.88.126a104-75-88-126.deploy.static.akamaitechnologies.com80http 354300x800000000000000018490263Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.765{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60536-false192.0.77.48s.w.org443https 354300x800000000000000018490262Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.765{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60534-false192.0.77.48s.w.org443https 354300x800000000000000018490261Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.765{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60535-false192.0.77.48s.w.org443https 354300x800000000000000018490260Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.765{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60533-false192.0.77.48s.w.org443https 354300x800000000000000018490259Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.764{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58459- 354300x800000000000000018490258Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.763{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54036- 354300x800000000000000018490257Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.761{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49869- 354300x800000000000000018490256Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.688{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59885- 354300x800000000000000018490255Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.683{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59767- 354300x800000000000000018490254Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.668{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60532-false138.128.181.29138-128-181-29.static.hostdime.com80http 354300x800000000000000018490253Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.554{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60529-false138.128.181.29138-128-181-29.static.hostdime.com80http 354300x800000000000000018490252Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.552{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52278- 354300x800000000000000018490251Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.550{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60531-false138.128.181.29138-128-181-29.static.hostdime.com80http 354300x800000000000000018490250Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.544{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60530-false138.128.181.29138-128-181-29.static.hostdime.com80http 354300x800000000000000018490249Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:26.518{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60528-false138.128.181.29138-128-181-29.static.hostdime.com80http 23542300x800000000000000018490248Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.211{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\E1D66A713D28B13B89232DF52699A5E24AD33C8AMD5=37BB7F9A75E69F4ABA70659309C49E0C,SHA256=089E97B28F9AE72E4FE44A0E82EE67A9A2EC63394DD8284E455A38ABB01DC7BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490247Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.077{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490246Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.073{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490245Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.073{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018490244Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.001{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\EFDD3721927606374957AC665A28E893C031FF40MD5=07642FDE79AB2D777773007FAD2476F9,SHA256=8D9CC6D63F9D4C6D4EDCEE342786645F9184AA8F1106278677ACB4D52D2B5C79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490428Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.990{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490427Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.973{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490426Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.960{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490425Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.945{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490424Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.928{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490423Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.906{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490422Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.889{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490421Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.870{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018490420Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.864{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\protections.sqlite-journalMD5=C0D367CEAA34C515B2A977AEFF2C859C,SHA256=D2198DE7471A24A3981D0F52300BCCE1BB2CEB2DD29E56480D2F23C4080ADCA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490419Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.850{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490418Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.823{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490417Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.803{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490416Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.803{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490415Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.802{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490414Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.802{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490413Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.801{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490412Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.801{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490411Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.798{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490410Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.798{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000018490409Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.857{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.unimatrixproductions.com0::ffff:192.252.149.14;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490408Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.757{CBEA6AB7-55E4-619B-9101-000000000F02}5988HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490407Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.755{CBEA6AB7-55E4-619B-9101-000000000F02}5988HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com03.223.115.185;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490406Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.754{CBEA6AB7-55E4-619B-9101-000000000F02}5988camelot.legendarydragons.com0type: 5 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com;::ffff:3.223.115.185;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490405Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.673{CBEA6AB7-55E4-619B-9101-000000000F02}5988home.snafu.de9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490404Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.664{CBEA6AB7-55E4-619B-9101-000000000F02}5988home.snafu.de0213.73.121.30;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490403Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.664{CBEA6AB7-55E4-619B-9101-000000000F02}5988home.snafu.de0::ffff:213.73.121.30;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490402Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.655{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.derechoanglosajon.com9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490401Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.630{CBEA6AB7-55E4-619B-9101-000000000F02}5988e13947.dsca.akamaiedge.net02a02:26f0:3500:882::367b;2a02:26f0:3500:899::367b;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490400Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.629{CBEA6AB7-55E4-619B-9101-000000000F02}5988tommorris.org02a05:d014:275:cb01:6d79:f1b4:7197:d460;2a05:d014:275:cb01:1f85:932b:b797:22f9;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490399Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.628{CBEA6AB7-55E4-619B-9101-000000000F02}5988e13947.dsca.akamaiedge.net0104.109.85.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490398Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.627{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.avg.com0type: 5 www.avg.com.edgekey.net;type: 5 e13947.dsca.akamaiedge.net;::ffff:104.109.85.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490397Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.615{CBEA6AB7-55E4-619B-9101-000000000F02}5988tommorris.org0167.99.242.112;52.58.69.95;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490396Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.615{CBEA6AB7-55E4-619B-9101-000000000F02}5988tommorris.org0::ffff:52.58.69.95;::ffff:167.99.242.112;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490395Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.610{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.secumania.net9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490394Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.592{CBEA6AB7-55E4-619B-9101-000000000F02}5988pretentious.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490393Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.586{CBEA6AB7-55E4-619B-9101-000000000F02}5988pretentious.net023.229.192.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490392Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.585{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.pretentious.net0type: 5 pretentious.net;::ffff:23.229.192.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490391Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.585{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.av-comparatives.org02606:4700:20::681a:b2a;2606:4700:20::ac43:447f;2606:4700:20::681a:a2a;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490390Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.579{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.av-comparatives.org0104.26.11.42;172.67.68.127;104.26.10.42;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490389Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.578{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.av-comparatives.org0::ffff:104.26.10.42;::ffff:104.26.11.42;::ffff:172.67.68.127;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490388Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.578{CBEA6AB7-55E4-619B-9101-000000000F02}5988uapinc.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490387Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.572{CBEA6AB7-55E4-619B-9101-000000000F02}5988puchisoft.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490386Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.569{CBEA6AB7-55E4-619B-9101-000000000F02}5988uapinc.com0205.236.203.55;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490385Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.569{CBEA6AB7-55E4-619B-9101-000000000F02}5988uapinc.com0::ffff:205.236.203.55;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490384Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.567{CBEA6AB7-55E4-619B-9101-000000000F02}5988puchisoft.com0151.101.1.195;151.101.65.195;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490383Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.567{CBEA6AB7-55E4-619B-9101-000000000F02}5988puchisoft.com0::ffff:151.101.65.195;::ffff:151.101.1.195;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490382Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.550{CBEA6AB7-55E4-619B-9101-000000000F02}5988d147x30rup42or.cloudfront.net02600:9000:2250:4600:5:a821:e6c0:93a1;2600:9000:2250:7400:5:a821:e6c0:93a1;2600:9000:2250:4a00:5:a821:e6c0:93a1;2600:9000:2250:2600:5:a821:e6c0:93a1;2600:9000:2250:c600:5:a821:e6c0:93a1;2600:9000:2250:aa00:5:a821:e6c0:93a1;2600:9000:2250:2c00:5:a821:e6c0:93a1;2600:9000:2250:a600:5:a821:e6c0:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490381Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.547{CBEA6AB7-55E4-619B-9101-000000000F02}5988blogspot.l.googleusercontent.com02a00:1450:4001:82f::2001;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490380Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.546{CBEA6AB7-55E4-619B-9101-000000000F02}5988d147x30rup42or.cloudfront.net018.66.122.56;18.66.122.92;18.66.122.68;18.66.122.23;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490379Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.546{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.blumentals.net0type: 5 d147x30rup42or.cloudfront.net;::ffff:18.66.122.23;::ffff:18.66.122.56;::ffff:18.66.122.92;::ffff:18.66.122.68;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490378Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.546{CBEA6AB7-55E4-619B-9101-000000000F02}5988blogspot.l.googleusercontent.com0142.250.185.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490377Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.545{CBEA6AB7-55E4-619B-9101-000000000F02}5988worldsenz.blogspot.com0type: 5 blogspot.l.googleusercontent.com;::ffff:142.250.185.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490376Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.539{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.burtonsys.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490375Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.534{CBEA6AB7-55E4-619B-9101-000000000F02}5988pcbix.dk9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490374Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.530{CBEA6AB7-55E4-619B-9101-000000000F02}5988pcbix.dk046.4.55.204;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490373Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.529{CBEA6AB7-55E4-619B-9101-000000000F02}5988pcbix.dk0::ffff:46.4.55.204;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490372Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.497{CBEA6AB7-55E4-619B-9101-000000000F02}5988multisite.geo.kaspersky.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490371Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.453{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.geeksalive.com0type: 5 www.burtonsys.com;::ffff:107.15.202.181;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490370Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.426{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.burtonsys.com0107.15.202.181;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490369Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.425{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.burtonsys.com0::ffff:107.15.202.181;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490368Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.397{CBEA6AB7-55E4-619B-9101-000000000F02}5988multisite.geo.kaspersky.com0185.85.15.33;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490367Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.396{CBEA6AB7-55E4-619B-9101-000000000F02}5988forum.kaspersky.com0type: 5 multisite.geo.kaspersky.com;::ffff:185.85.15.33;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490366Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.323{CBEA6AB7-55E4-619B-9101-000000000F02}5988e9181.dscf.akamaiedge.net02a02:26f0:d6:394::23dd;2a02:26f0:d6:3bb::23dd;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490365Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.320{CBEA6AB7-55E4-619B-9101-000000000F02}5988e9181.dscf.akamaiedge.net0104.111.237.148;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490364Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.320{CBEA6AB7-55E4-619B-9101-000000000F02}5988ghs-svc-https-c46.ghs-ssl.googlehosted.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490363Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.320{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.zonealarm.com0type: 5 www.zonealarm.com.edgekey.net;type: 5 e9181.dscf.akamaiedge.net;::ffff:104.111.237.148;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490362Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.308{CBEA6AB7-55E4-619B-9101-000000000F02}5988ghs-svc-https-c46.ghs-ssl.googlehosted.com074.125.34.46;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490361Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.307{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.virustotal.com0type: 5 ghs-svc-https-c46.ghs-ssl.googlehosted.com;::ffff:74.125.34.46;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490360Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.242{CBEA6AB7-55E4-619B-9101-000000000F02}5988portableapps.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490359Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.225{CBEA6AB7-55E4-619B-9101-000000000F02}5988portableapps.com0104.239.166.87;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490358Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.225{CBEA6AB7-55E4-619B-9101-000000000F02}5988portableapps.com0::ffff:104.239.166.87;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490357Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.199{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.rjlsoftware.com02606:4700:3033::ac43:b0b5;2606:4700:3037::6815:2391;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490356Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.192{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.rjlsoftware.com0172.67.176.181;104.21.35.145;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490355Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.189{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.rjlsoftware.com0::ffff:104.21.35.145;::ffff:172.67.176.181;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490354Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.175{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.donationcoder.com02606:4700:3034::6815:2fe8;2606:4700:3034::ac43:ae78;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490353Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.168{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.donationcoder.com0172.67.174.120;104.21.47.232;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490352Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.167{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.donationcoder.com0::ffff:104.21.47.232;::ffff:172.67.174.120;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490351Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.159{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.autohotkey.com02606:4700:3035::ac43:a275;2606:4700:3034::6815:3274;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490350Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.153{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.portableapps.com0type: 5 portableapps.com;::ffff:104.239.166.87;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490349Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.153{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.autohotkey.com0172.67.162.117;104.21.50.116;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490348Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.152{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.autohotkey.com0::ffff:104.21.50.116;::ffff:172.67.162.117;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490347Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.137{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.ubcd4win.com02606:4700:3033::6815:50ef;2606:4700:3036::ac43:9b97;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490346Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.124{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.ubcd4win.com0172.67.155.151;104.21.80.239;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490345Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.123{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.ubcd4win.com0::ffff:104.21.80.239;::ffff:172.67.155.151;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001253029Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:30.650{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A3F918BEB6C0B38ED27C39CD4D2C3A,SHA256=6746A67B0D2727459599787F801AD60B69B45334C5F80F226809284D45003659,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018490344Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.647{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54329- 354300x800000000000000018490343Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.646{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54024- 354300x800000000000000018490342Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.646{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54243- 354300x800000000000000018490341Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.622{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54024- 354300x800000000000000018490340Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.621{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54243- 354300x800000000000000018490339Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.620{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57499- 354300x800000000000000018490338Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.619{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local65172- 354300x800000000000000018490337Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.609{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65533- 354300x800000000000000018490336Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.585{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local65533- 354300x800000000000000018490335Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.578{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57072- 354300x800000000000000018490334Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.577{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52939- 354300x800000000000000018490333Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.571{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49971- 354300x800000000000000018490332Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.564{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57490- 354300x800000000000000018490331Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.561{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57111- 354300x800000000000000018490330Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.559{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56992- 354300x800000000000000018490329Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.542{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53552- 354300x800000000000000018490328Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.538{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54410- 354300x800000000000000018490327Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.538{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59922- 354300x800000000000000018490326Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.538{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57746- 354300x800000000000000018490325Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.538{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51236- 354300x800000000000000018490324Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.536{CBEA6AB7-4F61-619B-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-970.attackrange.local137netbios-ns 354300x800000000000000018490323Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.535{CBEA6AB7-4F61-619B-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-970.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x800000000000000018490322Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.526{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55155- 354300x800000000000000018490321Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.522{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53537- 354300x800000000000000018490320Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.522{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53722- 354300x800000000000000018490319Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.514{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53360- 354300x800000000000000018490318Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.489{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53360- 354300x800000000000000018490317Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.444{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58686- 354300x800000000000000018490316Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.418{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58686- 354300x800000000000000018490315Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.415{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49495- 354300x800000000000000018490314Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.389{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60544-false104.75.88.126a104-75-88-126.deploy.static.akamaitechnologies.com443https 354300x800000000000000018490313Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.389{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49495- 354300x800000000000000018490312Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.389{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59868- 354300x800000000000000018490311Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.341{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55016- 354300x800000000000000018490310Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.315{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55016- 354300x800000000000000018490309Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.312{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52747- 354300x800000000000000018490308Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.312{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55080- 354300x800000000000000018490307Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.300{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50093- 354300x800000000000000018490306Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.291{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56485- 354300x800000000000000018490305Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.259{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59092- 354300x800000000000000018490304Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.259{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64945- 10341000x800000000000000018490484Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.979{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490483Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.916{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000018490482Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.850{CBEA6AB7-55E4-619B-9101-000000000F02}5988pegasus.jotti.org02a01:4f8:242:4aea::2;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490481Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.814{CBEA6AB7-55E4-619B-9101-000000000F02}5988pegasus.jotti.org049.12.134.143;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490480Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.813{CBEA6AB7-55E4-619B-9101-000000000F02}5988virusscan.jotti.org0type: 5 pegasus.jotti.org;::ffff:49.12.134.143;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490479Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.776{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.haleymilano.com9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490478Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.772{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.peakoil.org.au02606:4700:3033::ac43:cf80;2606:4700:3034::6815:2d0e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490477Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.768{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.peakoil.org.au0104.21.45.14;172.67.207.128;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490476Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.767{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.peakoil.org.au0::ffff:172.67.207.128;::ffff:104.21.45.14;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490475Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.761{CBEA6AB7-55E4-619B-9101-000000000F02}5988lb.wordpress.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490474Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.758{CBEA6AB7-55E4-619B-9101-000000000F02}5988lb.wordpress.com0192.0.78.12;192.0.78.13;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490473Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.757{CBEA6AB7-55E4-619B-9101-000000000F02}5988logmeincracker.wordpress.com0type: 5 lb.wordpress.com;::ffff:192.0.78.13;::ffff:192.0.78.12;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490472Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.752{CBEA6AB7-55E4-619B-9101-000000000F02}5988autoaccidentstpaul.com9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490471Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.733{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.cranelaptopstand.com9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490470Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.715{CBEA6AB7-55E4-619B-9101-000000000F02}5988submit.symantec.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490469Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.712{CBEA6AB7-55E4-619B-9101-000000000F02}5988submit.symantec.com035.163.5.85;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490468Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.711{CBEA6AB7-55E4-619B-9101-000000000F02}5988submit.symantec.com0::ffff:35.163.5.85;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490467Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.702{CBEA6AB7-55E4-619B-9101-000000000F02}5988sourceforge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490466Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.698{CBEA6AB7-55E4-619B-9101-000000000F02}5988sourceforge.net0204.68.111.105;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490465Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.698{CBEA6AB7-55E4-619B-9101-000000000F02}5988sourceforge.net0::ffff:204.68.111.105;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490464Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.694{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.ctuser.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490463Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.656{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.ctuser.net085.13.130.9;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490462Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.656{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.ctuser.net0::ffff:85.13.130.9;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490461Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.622{CBEA6AB7-55E4-619B-9101-000000000F02}5988reifendirekt.blogspot.com0type: 5 blogspot.l.googleusercontent.com;::ffff:142.250.185.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490460Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.596{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.mediafire.comcamoyoshi9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490459Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.592{CBEA6AB7-55E4-619B-9101-000000000F02}5988forums.avg.com0type: 5 forums.avg.com.edgekey.net;type: 5 e13947.dsca.akamaiedge.net;::ffff:104.109.85.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490458Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.558{CBEA6AB7-55E4-619B-9101-000000000F02}5988ilovemiage.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490457Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.453{CBEA6AB7-55E4-619B-9101-000000000F02}5988ilovemiage.net050.87.233.27;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490456Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.453{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.ilovemiage.net0type: 5 ilovemiage.net;::ffff:50.87.233.27;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490455Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.376{CBEA6AB7-55E4-619B-9101-000000000F02}5988webdombot.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490454Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.264{CBEA6AB7-55E4-619B-9101-000000000F02}5988webdombot.com046.249.205.125;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490453Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.263{CBEA6AB7-55E4-619B-9101-000000000F02}5988webdombot.com0::ffff:46.249.205.125;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490452Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.232{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.cromosoft.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490451Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.221{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.cromosoft.com0162.210.102.230;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490450Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.220{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.cromosoft.com0::ffff:162.210.102.230;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490449Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.212{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.wahyuprimadi.co.cc9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490448Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.148{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.deinmeister.de9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490447Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.144{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.deinmeister.de0217.160.0.203;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490446Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.144{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.deinmeister.de0::ffff:217.160.0.203;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490445Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.136{CBEA6AB7-55E4-619B-9101-000000000F02}5988e13678.dscb.akamaiedge.net02a02:26f0:1700:1b8::356e;2a02:26f0:1700:1ab::356e;2a02:26f0:1700:1b2::356e;2a02:26f0:1700:1aa::356e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490444Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.122{CBEA6AB7-55E4-619B-9101-000000000F02}5988e13678.dscb.akamaiedge.net02.18.233.62;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490443Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.119{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.theregister.co.uk9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490442Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.111{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.theregister.co.uk0104.18.234.86;104.18.235.86;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490441Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.111{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.theregister.co.uk0::ffff:104.18.235.86;::ffff:104.18.234.86;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490440Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.105{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.sebn.us.to9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490439Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.961{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.unimatrixproductions.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490438Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.920{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.wahyuprimadi.co.cc0175.126.123.219;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490437Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.920{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.wahyuprimadi.co.cc0::ffff:175.126.123.219;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490436Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.858{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.unimatrixproductions.com0192.252.149.14;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001253032Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:31.667{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F20C2078584FAB1A92B657FF383F85,SHA256=06F47B0ECC008C7C2633685FEDD737DD6BBDD903F2E45E090C855EBC74F6A544,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018490435Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.045{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490434Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.035{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490433Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.015{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018490432Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.009{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEA06B084AEF76C76628C79313121A6,SHA256=26325B67B8D7EDE9628DDB41B13FD605B0FC4B1BE0F730F6EFEE596BF4810A42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490431Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.004{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018490430Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.656{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56016- 354300x800000000000000018490429Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.656{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51550- 23542300x80000000000000001253031Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:31.636{068A336D-4F84-619B-1200-000000001002}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0992C187B55C04BFA3B541FC1F6C2C23,SHA256=BE69F77C6D3E2BA4F02BF20DE8F7532CEB1CA74A5D626D243334FD88D240FBE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253030Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:27.365{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53562-false10.0.1.12-8000- 10341000x80000000000000001253036Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:32.808{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F84-619B-1400-000000001002}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253035Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:32.808{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F84-619B-1400-000000001002}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253034Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:32.808{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F84-619B-1400-000000001002}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253033Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:32.683{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C38AC754E5811F57A96C9D5265A32C,SHA256=8548F0FC420AF6DF446466A147CCCF1A63920F53F6D10E9C4124B34EA02A5089,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000018490570Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.278{CBEA6AB7-55E4-619B-9101-000000000F02}5988diydatarecovery.nl03.33.152.147;15.197.142.173;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490569Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.277{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.diydatarecovery.nl0type: 5 diydatarecovery.nl;::ffff:15.197.142.173;::ffff:3.33.152.147;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490568Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.268{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.tpsupremo.8k.com9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490567Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.245{CBEA6AB7-55E4-619B-9101-000000000F02}5988com.nu9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490566Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.227{CBEA6AB7-55E4-619B-9101-000000000F02}5988com.nu095.217.58.108;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490565Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.226{CBEA6AB7-55E4-619B-9101-000000000F02}5988nirav.com.nu0type: 5 com.nu;::ffff:95.217.58.108;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490564Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.201{CBEA6AB7-55E4-619B-9101-000000000F02}5988falsepositivereport.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490563Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.049{CBEA6AB7-55E4-619B-9101-000000000F02}5988falsepositivereport.com0204.11.56.48;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490562Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.048{CBEA6AB7-55E4-619B-9101-000000000F02}5988falsepositivereport.com0::ffff:204.11.56.48;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490561Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.892{CBEA6AB7-55E4-619B-9101-000000000F02}5988clamwin.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490560Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.889{CBEA6AB7-55E4-619B-9101-000000000F02}5988clamwin.com051.141.164.70;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490559Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.889{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.clamwin.com0type: 5 clamwin.com;::ffff:51.141.164.70;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490558Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.881{CBEA6AB7-55E4-619B-9101-000000000F02}5988gluxon.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490557Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.858{CBEA6AB7-55E4-619B-9101-000000000F02}598811776.BODIS.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490556Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.855{CBEA6AB7-55E4-619B-9101-000000000F02}598811776.BODIS.com0199.59.243.200;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490555Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.855{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.floz.0fees.net0type: 5 11776.BODIS.com;::ffff:199.59.243.200;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490554Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.815{CBEA6AB7-55E4-619B-9101-000000000F02}5988none9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490553Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.608{CBEA6AB7-55E4-619B-9101-000000000F02}5988a1814.dscr.akamai.net02a02:26f0:3500:12::1730:179f;2a02:26f0:3500:12::1730:1790;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490552Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.605{CBEA6AB7-55E4-619B-9101-000000000F02}5988a1814.dscr.akamai.net072.247.185.49;72.247.185.43;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490551Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.603{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.avgthreatlabs.com0type: 5 redman.avast.com.edgesuite.net;type: 5 a1814.dscr.akamai.net;::ffff:72.247.185.43;::ffff:72.247.185.49;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490550Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.548{CBEA6AB7-55E4-619B-9101-000000000F02}5988internetoutfitter.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490549Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.442{CBEA6AB7-55E4-619B-9101-000000000F02}5988internetoutfitter.com069.16.195.221;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490548Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.441{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.internetoutfitter.com0type: 5 internetoutfitter.com;::ffff:69.16.195.221;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490547Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.217{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.spe-sa.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490546Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.039{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.spe-sa.com0197.221.10.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490545Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.038{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.spe-sa.com0::ffff:197.221.10.206;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000018490544Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:32.795{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5337|C:\Program Files\Mozilla Firefox\xul.dll+7ee969|C:\Program Files\Mozilla Firefox\xul.dll+7e2b8a|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018490543Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:32.586{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\entries\DF30128DAB3ED751A8FD251F177008493D4D421FMD5=6000281026E6C741CC67B512E8AA4D57,SHA256=8D317A0C9198D6950C66EB15B9F71559428876D90FC76BE6C93A2639CFF828BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490542Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:32.582{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\doomed\24691MD5=CEA00E62FDAF62224041139BFB5218CD,SHA256=BBE78FACD499B781B0B19AC50BC6EE574B49713C6865DC70C5B02797C45C1216,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490541Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:32.581{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\doomed\11741MD5=E2ADD0FBE501DA4B41C2DAE5FE091F83,SHA256=4CF712AAEFE1822443525485CA44B3DD1B181735B6739E6DB734EDC1D2A0ABCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490540Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:32.580{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\doomed\28738MD5=2F9996E487816CE56ED304C3CAC18CA2,SHA256=C5F46088F77C66679F0D07399A5B14B8978DFE540B9934A943452EC37BB88F48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490539Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:32.390{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490538Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:32.326{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490537Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:32.200{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490536Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:32.136{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490535Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:32.042{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018490534Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:32.030{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3DBF49C3EFCF11FCFE622DED383518,SHA256=E7A8D28F56219C1064FA56EDEC03E5C50803C23E88FB160FA1AB9EF936131639,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490533Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.030{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49194- 354300x800000000000000018490532Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.867{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58636- 354300x800000000000000018490531Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.842{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58636- 354300x800000000000000018490530Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.806{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53482- 354300x800000000000000018490529Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.793{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55879- 354300x800000000000000018490528Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.768{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55879- 354300x800000000000000018490527Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.764{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52009- 354300x800000000000000018490526Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.760{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53572- 354300x800000000000000018490525Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.750{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53523- 354300x800000000000000018490524Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.749{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59044- 354300x800000000000000018490523Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.744{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51088- 354300x800000000000000018490522Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.725{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56096- 354300x800000000000000018490521Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.694{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59452- 354300x800000000000000018490520Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.690{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53374- 354300x800000000000000018490519Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.686{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51733- 354300x800000000000000018490518Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.673{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65065- 354300x800000000000000018490517Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.648{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local65065- 354300x800000000000000018490516Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.648{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55667- 354300x800000000000000018490515Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.575{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57262- 354300x800000000000000018490514Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.550{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57262- 354300x800000000000000018490513Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.533{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.88.253.3838.253.88.34.bc.googleusercontent.com62826-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018490512Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.470{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58511- 354300x800000000000000018490511Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.445{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58511- 354300x800000000000000018490510Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.445{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55448- 354300x800000000000000018490509Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.408{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60545-false10.0.1.12-8000- 354300x800000000000000018490508Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.371{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56636- 354300x800000000000000018490507Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.281{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51657- 354300x800000000000000018490506Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.256{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51657- 354300x800000000000000018490505Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.250{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53774- 354300x800000000000000018490504Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.225{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53774- 354300x800000000000000018490503Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.213{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54178- 354300x800000000000000018490502Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.205{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59696- 354300x800000000000000018490501Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.165{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59883- 354300x800000000000000018490500Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.141{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59883- 354300x800000000000000018490499Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.136{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55190- 354300x800000000000000018490498Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.128{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49732- 354300x800000000000000018490497Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.114{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54427- 354300x800000000000000018490496Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.112{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local65288- 354300x800000000000000018490495Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.103{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55961- 354300x800000000000000018490494Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.097{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54511- 354300x800000000000000018490493Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:28.036{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53378- 354300x800000000000000018490492Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.979{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49233- 354300x800000000000000018490491Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.953{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49233- 354300x800000000000000018490490Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.938{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56704- 354300x800000000000000018490489Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.912{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56704- 354300x800000000000000018490488Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.876{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53005- 354300x800000000000000018490487Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.850{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53005- 354300x800000000000000018490486Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.775{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56540- 354300x800000000000000018490485Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:27.749{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56540- 23542300x80000000000000001253038Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:33.699{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC7217513A241779349A14130BFF70F,SHA256=0A6D1F34B26C2967F193F762682C6E7DE7A2F5C2FBD1B0A83560FD9F47EE85BC,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000018490658Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.081{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.outlookpstrecovery.com0type: 5 outlookpstrecovery.com;::ffff:104.199.118.179;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490657Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.049{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.johntnicholson.com02606:4700:3036::6815:11cf;2606:4700:3032::ac43:b24d;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490656Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.032{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.dfrsoft.com0198.27.70.84;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490655Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.031{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.dfrsoft.com0::ffff:198.27.70.84;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490654Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.030{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.johntnicholson.com0104.21.17.207;172.67.178.77;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490653Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.029{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.johntnicholson.com0::ffff:172.67.178.77;::ffff:104.21.17.207;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490652Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.012{CBEA6AB7-55E4-619B-9101-000000000F02}5988noojee.com.au9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490651Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.935{CBEA6AB7-55E4-619B-9101-000000000F02}5988drbytes.ca9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490650Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.928{CBEA6AB7-55E4-619B-9101-000000000F02}5988drbytes.ca0198.54.115.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490649Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.927{CBEA6AB7-55E4-619B-9101-000000000F02}5988drbytes.ca0::ffff:198.54.115.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490648Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.922{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.instantssl.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490647Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.897{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.instantssl.com0151.139.128.10;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490646Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.897{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.instantssl.com0::ffff:151.139.128.10;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490645Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.889{CBEA6AB7-55E4-619B-9101-000000000F02}5988noojee.com.au035.213.181.253;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490644Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.888{CBEA6AB7-55E4-619B-9101-000000000F02}5988noojee.com.au0::ffff:35.213.181.253;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490643Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.867{CBEA6AB7-55E4-619B-9101-000000000F02}5988v6s4peg.x.incapdns.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490642Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.860{CBEA6AB7-55E4-619B-9101-000000000F02}5988v6s4peg.x.incapdns.net045.60.198.209;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490641Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.860{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.thawte.com0type: 5 v6s4peg.x.incapdns.net;::ffff:45.60.198.209;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490640Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.857{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.securitywonks.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490639Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.853{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.securitywonks.net0170.249.236.236;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490638Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.852{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.securitywonks.net0::ffff:170.249.236.236;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490637Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.850{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.qlikworld.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490636Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.839{CBEA6AB7-55E4-619B-9101-000000000F02}5988nordichosting.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490635Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.829{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.qlikworld.com0213.136.69.6;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490634Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.828{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.qlikworld.com0::ffff:213.136.69.6;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490633Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.813{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.mehreganmashin.com9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490632Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.806{CBEA6AB7-55E4-619B-9101-000000000F02}5988nordichosting.com0193.93.253.7;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490631Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.805{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.nordichosting.com0type: 5 nordichosting.com;::ffff:193.93.253.7;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490630Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.793{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.oxfordschools.blogspot.com0type: 5 blogspot.l.googleusercontent.com;::ffff:142.250.185.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490629Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.779{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.cubonebot.com9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490628Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.768{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.easy-data.no9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490627Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.728{CBEA6AB7-55E4-619B-9101-000000000F02}5988pjrichardson.com0type: 5 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com;::ffff:3.223.115.185;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490626Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.719{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.easy-data.no05.249.226.74;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490625Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.718{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.easy-data.no0::ffff:5.249.226.74;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490624Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.651{CBEA6AB7-55E4-619B-9101-000000000F02}5988droidvpn.com02606:4700:3037::6815:ac;2606:4700:3032::ac43:8024;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490623Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.642{CBEA6AB7-55E4-619B-9101-000000000F02}5988droidvpn.com0104.21.0.172;172.67.128.36;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490622Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.641{CBEA6AB7-55E4-619B-9101-000000000F02}5988droidvpn.com0::ffff:172.67.128.36;::ffff:104.21.0.172;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490621Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.634{CBEA6AB7-55E4-619B-9101-000000000F02}5988n9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490620Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.623{CBEA6AB7-55E4-619B-9101-000000000F02}5988webredir.vip.gandi.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490619Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.612{CBEA6AB7-55E4-619B-9101-000000000F02}5988webredir.vip.gandi.net0217.70.184.50;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490618Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.612{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.heritagethevillas.mu0type: 5 webredir.vip.gandi.net;::ffff:217.70.184.50;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490617Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.599{CBEA6AB7-55E4-619B-9101-000000000F02}5988themigrainesurgery.com9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490616Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.593{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.seogooglecom9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490615Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.590{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.win7antivirus2012.com9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490614Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.573{CBEA6AB7-55E4-619B-9101-000000000F02}5988fastpictureviewer.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490613Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.568{CBEA6AB7-55E4-619B-9101-000000000F02}5988fastpictureviewer.com083.166.138.38;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490612Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.567{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.fastpictureviewer.com0type: 5 fastpictureviewer.com;::ffff:83.166.138.38;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490611Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.558{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.techsmartlife.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490610Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.456{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.techsmartlife.com035.208.84.187;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490609Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.455{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.techsmartlife.com0::ffff:35.208.84.187;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490608Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.284{CBEA6AB7-55E4-619B-9101-000000000F02}5988diydatarecovery.nl9501-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000018490607Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.771{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\webappsstore.sqlite-walMD5=3AA72DCD3F05D62A566709D9FA7D42CB,SHA256=E96F5E00065D6060B8A90C7BAC83BA6B97053E9F7F4546E6912AAB4BA878D634,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490606Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.770{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\webappsstore.sqlite-shmMD5=73BD00FE54D98A3766F7D8C413E739B9,SHA256=10188A1CC91909512FB7C73C84D1254E16E649ADB74EA8181145B4C4A329F34C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490605Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.765{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\http+++blog.nirsoft.net\ls\data.sqlite-journalMD5=3FA80EB85F678C14313590F9F0A15A66,SHA256=B8320DD394A9C581E5DF6A1C37E58D19930F4FF6E0749EB315AB6B890043DD41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490604Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.743{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\http+++blog.nirsoft.net\ls\data.sqlite-journalMD5=DBC55836EBEDB1C9C9591896F315DF19,SHA256=AE60C3B4E64FE6060CA9B91AC3E4E04A8817D063F25BBA3C7783D61E92BBE1C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490603Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.733{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\http+++blog.nirsoft.net\ls\data.sqlite-journalMD5=029CB354896DB5B51C75FA084FF143CC,SHA256=2D8F01E60F723053FAAF61F54039A124C99A583D17DEF5CB5A01C4BD83B315AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490602Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.724{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\http+++blog.nirsoft.net\ls\data.sqlite-journalMD5=31828A741B3D19F7CE3862A7F67035A5,SHA256=7B557E505402C678461C98AE8A42C7EC1BCB0AE3A348DE61ED5886BD5AA1CD94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490601Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.711{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57503- 354300x800000000000000018490600Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.668{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50618- 354300x800000000000000018490599Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.651{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55788- 354300x800000000000000018490598Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.643{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50618- 354300x800000000000000018490597Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.634{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49936- 354300x800000000000000018490596Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.633{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56184- 354300x800000000000000018490595Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.626{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55788- 354300x800000000000000018490594Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.604{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56159- 354300x800000000000000018490593Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.591{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53182- 354300x800000000000000018490592Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.586{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54446- 354300x800000000000000018490591Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.560{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51000- 354300x800000000000000018490590Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.559{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52987- 354300x800000000000000018490589Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.301{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56084- 354300x800000000000000018490588Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.276{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56084- 354300x800000000000000018490587Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.260{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56868- 23542300x800000000000000018490586Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.052{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78D0323C1095CA784A9F504C8506B55,SHA256=BBDCC57643D291E2AA2BCE81830B144CF65F76130CFBD92365F601DE731AC847,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490585Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.238{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58249- 354300x800000000000000018490584Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.219{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local65005- 354300x800000000000000018490583Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.194{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56496- 354300x800000000000000018490582Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.066{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52315- 354300x800000000000000018490581Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.041{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52315- 354300x800000000000000018490580Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.040{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50880- 354300x80000000000000001253037Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:30.101{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-50596-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000018490579Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.881{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49400- 354300x800000000000000018490578Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.874{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58790- 354300x800000000000000018490577Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.850{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58692- 354300x800000000000000018490576Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.847{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55119- 354300x800000000000000018490575Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.833{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64949- 354300x800000000000000018490574Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.597{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53432- 354300x800000000000000018490573Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.566{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58333- 354300x800000000000000018490572Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.541{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58333- 354300x800000000000000018490571Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:29.433{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54019- 23542300x80000000000000001253039Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:34.714{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391111CEFCEAB51ECAB40C85A4CAAD1B,SHA256=F001AC79FCEC25FA2B3B337F108C4D64DDB2DA650BBCB352883FD3C5A7F66CB5,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000018490733Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.829{CBEA6AB7-55E4-619B-9101-000000000F02}5988eggcentric.com054.165.78.236;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490732Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.829{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.eggcentric.com0type: 5 eggcentric.com;::ffff:54.165.78.236;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490731Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.819{CBEA6AB7-55E4-619B-9101-000000000F02}5988stian.sdf.org9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490730Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.717{CBEA6AB7-55E4-619B-9101-000000000F02}5988stian.sdf.org0205.166.94.33;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490729Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.717{CBEA6AB7-55E4-619B-9101-000000000F02}5988stian.sdf.org0::ffff:205.166.94.33;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490728Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.617{CBEA6AB7-55E4-619B-9101-000000000F02}5988strelecki.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490727Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.588{CBEA6AB7-55E4-619B-9101-000000000F02}5988strelecki.com097.74.182.1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490726Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.588{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.strelecki.com0type: 5 strelecki.com;::ffff:97.74.182.1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490725Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.581{CBEA6AB7-55E4-619B-9101-000000000F02}5988e11722.b.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490724Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.578{CBEA6AB7-55E4-619B-9101-000000000F02}5988e11722.b.akamaiedge.net0104.111.243.23;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490723Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.577{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.pandasecurity.com0type: 5 www.pandasecurity.com.edgekey.net;type: 5 e11722.b.akamaiedge.net;::ffff:104.111.243.23;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490722Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.573{CBEA6AB7-55E4-619B-9101-000000000F02}5988impurist.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490721Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.548{CBEA6AB7-55E4-619B-9101-000000000F02}5988impurist.com064.57.70.182;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490720Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.548{CBEA6AB7-55E4-619B-9101-000000000F02}5988impurist.com0::ffff:64.57.70.182;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490719Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.536{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.adminsoftware.biz9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490718Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.531{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.adminsoftware.biz0176.32.230.6;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490717Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.531{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.adminsoftware.biz0::ffff:176.32.230.6;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490716Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.526{CBEA6AB7-55E4-619B-9101-000000000F02}5988therandshow.blogspot.com0type: 5 blogspot.l.googleusercontent.com;::ffff:142.250.185.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490715Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.513{CBEA6AB7-55E4-619B-9101-000000000F02}5988jpcsupplies.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490714Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.475{CBEA6AB7-55E4-619B-9101-000000000F02}5988jpcsupplies.com0162.210.96.121;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490713Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.475{CBEA6AB7-55E4-619B-9101-000000000F02}5988jpcsupplies.com0::ffff:162.210.96.121;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490712Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.424{CBEA6AB7-55E4-619B-9101-000000000F02}5988ctuser.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490711Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.407{CBEA6AB7-55E4-619B-9101-000000000F02}5988electroecs.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490710Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.399{CBEA6AB7-55E4-619B-9101-000000000F02}5988ctuser.net085.13.130.9;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490709Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.398{CBEA6AB7-55E4-619B-9101-000000000F02}5988ctuser.net0::ffff:85.13.130.9;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490708Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.373{CBEA6AB7-55E4-619B-9101-000000000F02}5988brighter-vision.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490707Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.330{CBEA6AB7-55E4-619B-9101-000000000F02}5988brighter-vision.com0198.143.147.166;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490706Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.330{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.brighter-vision.com0type: 5 brighter-vision.com;::ffff:198.143.147.166;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490705Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.323{CBEA6AB7-55E4-619B-9101-000000000F02}5988electroecs.com066.96.149.1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490704Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.322{CBEA6AB7-55E4-619B-9101-000000000F02}5988electroecs.com0::ffff:66.96.149.1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490703Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.233{CBEA6AB7-55E4-619B-9101-000000000F02}5988star-mini.c10r.facebook.com02a03:2880:f11c:8183:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490702Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.231{CBEA6AB7-55E4-619B-9101-000000000F02}5988star-mini.c10r.facebook.com0157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490701Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.230{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490700Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.228{CBEA6AB7-55E4-619B-9101-000000000F02}5988kalkotronic.it9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490699Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.210{CBEA6AB7-55E4-619B-9101-000000000F02}5988geekoverload.co.uk9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490698Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.190{CBEA6AB7-55E4-619B-9101-000000000F02}5988kalkotronic.it0178.250.66.202;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490697Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.190{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.kalkotronic.it0type: 5 kalkotronic.it;::ffff:178.250.66.202;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490696Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.180{CBEA6AB7-55E4-619B-9101-000000000F02}5988geekoverload.co.uk077.72.1.19;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490695Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.180{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.geekoverload.co.uk0type: 5 geekoverload.co.uk;::ffff:77.72.1.19;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490694Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.149{CBEA6AB7-55E4-619B-9101-000000000F02}5988churchvictory.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490693Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.146{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.trishtech.com02606:4700:3030::6815:4c8c;2606:4700:3035::ac43:c419;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490692Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.143{CBEA6AB7-55E4-619B-9101-000000000F02}5988churchvictory.com03.33.152.147;15.197.142.173;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490691Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.142{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.churchvictory.com0type: 5 churchvictory.com;::ffff:15.197.142.173;::ffff:3.33.152.147;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490690Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.142{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.trishtech.com0172.67.196.25;104.21.76.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490689Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.138{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.trishtech.com0::ffff:104.21.76.140;::ffff:172.67.196.25;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490688Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.132{CBEA6AB7-55E4-619B-9101-000000000F02}5988virtual-asylum.com9003-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490687Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.122{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.fdaimports.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490686Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.119{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.dfrsoft.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490685Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.115{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.fdaimports.com0192.124.249.19;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490684Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.114{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.fdaimports.com0::ffff:192.124.249.19;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490683Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.101{CBEA6AB7-55E4-619B-9101-000000000F02}5988outlookpstrecovery.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490682Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.082{CBEA6AB7-55E4-619B-9101-000000000F02}5988outlookpstrecovery.com0104.199.118.179;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000018490681Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:34.074{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8BFF19B1E2EC01DE587E37F84C9646,SHA256=1B54A80D2B15F50DECCD3AC8F3888F23A65E216C6F97F8A25DE54CA9B72C98E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490680Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.022{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55528- 354300x800000000000000018490679Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.022{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52556- 354300x800000000000000018490678Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.005{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51177- 354300x800000000000000018490677Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.953{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57839- 354300x800000000000000018490676Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.928{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57839- 354300x800000000000000018490675Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.920{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52443- 354300x800000000000000018490674Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.906{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64952- 354300x800000000000000018490673Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.889{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49830- 354300x800000000000000018490672Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.881{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49518- 354300x800000000000000018490671Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.852{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50229- 354300x800000000000000018490670Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.852{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56952- 354300x800000000000000018490669Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.843{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58426- 354300x800000000000000018490668Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.832{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52191- 354300x800000000000000018490667Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.823{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54116- 354300x800000000000000018490666Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.821{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52021- 354300x800000000000000018490665Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.805{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59528- 354300x800000000000000018490664Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.798{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54116- 354300x800000000000000018490663Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.798{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local65194- 354300x800000000000000018490662Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.786{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57858- 354300x800000000000000018490661Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.760{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54378- 354300x800000000000000018490660Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.746{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58279- 354300x800000000000000018490659Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:30.721{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58279- 23542300x80000000000000001253042Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:35.730{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88D19B3AE97A163CD7D063756E10B51,SHA256=AB1805D97F7106874D6CE7962B71F93B6681E3128738E29E0EBF79D741F9E0F1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000018490797Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.857{CBEA6AB7-55E4-619B-9101-000000000F02}5988majax113back.blogspot.com0type: 5 blogspot.l.googleusercontent.com;::ffff:142.250.185.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490796Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.846{CBEA6AB7-55E4-619B-9101-000000000F02}5988scanner3d.it9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490795Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.840{CBEA6AB7-55E4-619B-9101-000000000F02}5988scanner3d.it0213.186.33.5;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490794Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.840{CBEA6AB7-55E4-619B-9101-000000000F02}5988scanner3d.it0::ffff:213.186.33.5;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490793Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.831{CBEA6AB7-55E4-619B-9101-000000000F02}5988eggcentric.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000018490792Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:35.095{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512B12A2EFCE8AE38520066BB8D67176,SHA256=7224AC8C2E07BB7461221722A81589B77EFCFF7CCCB4931C4A0EDFC7CD10ACB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490791Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.838{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49699- 354300x800000000000000018490790Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.833{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50888- 354300x800000000000000018490789Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.832{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53138- 354300x800000000000000018490788Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.821{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51321- 354300x800000000000000018490787Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.821{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56420- 354300x800000000000000018490786Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.734{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65167- 354300x800000000000000018490785Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.709{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local65167- 354300x800000000000000018490784Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.709{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56237- 354300x800000000000000018490783Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.606{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53148- 354300x800000000000000018490782Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.580{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53148- 354300x800000000000000018490781Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.580{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58540- 354300x800000000000000018490780Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.573{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58474- 354300x800000000000000018490779Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.570{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55609- 354300x800000000000000018490778Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.570{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49563- 354300x800000000000000018490777Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.566{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59274- 354300x800000000000000018490776Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.565{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50054- 354300x800000000000000018490775Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.540{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50054- 354300x800000000000000018490774Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.528{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51541- 354300x800000000000000018490773Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.523{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49507- 354300x800000000000000018490772Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.518{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59031- 354300x800000000000000018490771Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.505{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56712- 354300x800000000000000018490770Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.493{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65282- 354300x800000000000000018490769Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.467{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local65282- 354300x800000000000000018490768Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.467{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51110- 354300x800000000000000018490767Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.425{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58844- 354300x800000000000000018490766Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.400{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58844- 354300x800000000000000018490765Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.348{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53038- 354300x800000000000000018490764Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.340{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54537- 354300x800000000000000018490763Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.323{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53038- 354300x800000000000000018490762Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.315{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54537- 354300x800000000000000018490761Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.315{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59787- 354300x800000000000000018490760Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.251{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56771- 354300x800000000000000018490759Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.228{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57238- 354300x800000000000000018490758Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.225{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56771- 354300x800000000000000018490757Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.223{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58910- 354300x800000000000000018490756Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.223{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52700- 354300x800000000000000018490755Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.221{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57435- 354300x800000000000000018490754Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.207{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53395- 354300x800000000000000018490753Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.202{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57238- 354300x800000000000000018490752Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.198{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59511- 354300x800000000000000018490751Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.182{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53395- 354300x800000000000000018490750Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.182{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59901- 354300x800000000000000018490749Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.172{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59511- 354300x800000000000000018490748Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.172{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57036- 354300x800000000000000018490747Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.168{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49920- 354300x800000000000000018490746Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.164{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52972- 354300x800000000000000018490745Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.142{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49920- 354300x800000000000000018490744Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.138{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52972- 354300x800000000000000018490743Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.135{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57100- 354300x800000000000000018490742Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.134{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51786- 354300x800000000000000018490741Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.131{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57311- 354300x800000000000000018490740Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.125{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53388- 354300x800000000000000018490739Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.111{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53047- 354300x800000000000000018490738Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.093{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57955- 354300x800000000000000018490737Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.074{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51200- 354300x800000000000000018490736Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.073{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56139- 354300x800000000000000018490735Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.066{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65360- 354300x800000000000000018490734Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.042{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local65360- 354300x80000000000000001253041Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:32.294{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-59072-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253040Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:31.549{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-53680-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253044Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:36.746{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3D51B6280AE53B18AFBC10E68A2FCA,SHA256=32299D0B1B1B7556DEAD42BC08805C3AB8D1A094C9A0A62D49A513E2B68BC49B,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000018490811Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:34.132{CBEA6AB7-55E4-619B-9101-000000000F02}5988tpop-api.twitter.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490810Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:34.131{CBEA6AB7-55E4-619B-9101-000000000F02}5988firefromthesky.org9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490809Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:34.010{CBEA6AB7-55E4-619B-9101-000000000F02}5988firefromthesky.org0142.11.217.162;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490808Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:34.009{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.firefromthesky.org0type: 5 firefromthesky.org;::ffff:142.11.217.162;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490807Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.761{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.safeparentalcontrol.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490806Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.753{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.safeparentalcontrol.com0185.53.177.51;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490805Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.753{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.safeparentalcontrol.com0::ffff:185.53.177.51;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490804Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.732{CBEA6AB7-55E4-619B-9101-000000000F02}5988headgone.net02607:f1c0:100f:f000::273;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490803Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.725{CBEA6AB7-55E4-619B-9101-000000000F02}5988headgone.net074.208.236.4;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490802Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.724{CBEA6AB7-55E4-619B-9101-000000000F02}5988headgone.net0::ffff:74.208.236.4;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490801Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.688{CBEA6AB7-55E4-619B-9101-000000000F02}5988na9003-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000018490800Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:36.116{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B54CD6E7890E74E101F2122A18D4AE,SHA256=1447ACBA2759EE93A5924BEF34C1637F7C18697E495EAD6F8AF092B2A3411F2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490799Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.876{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55711- 354300x800000000000000018490798Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:31.850{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55711- 354300x80000000000000001253043Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:33.398{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53563-false10.0.1.12-8000- 23542300x80000000000000001253045Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:37.761{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52BA5524A6DD67FF26C435BE5928E23B,SHA256=AA6957BF96095D0922EACE3CED8B541F8A8BBDCCBAA870CE80E29C1EA2BA695C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490829Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:37.840{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=F8B7DE72A7A2E72057A3819FD536DB74,SHA256=84CDEE90F5F99187FAEE674DF21940F014BE215583514329EDC4C57C5CA00C17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490828Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:37.308{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22247E090CDFC130172FA4B0698F8D35,SHA256=E39B54036489F82687D5AB46C3A3E6674D57C13995C8F0A7D5B8DE81DECB7345,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490827Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:37.307{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC73B4892A47BE654A9D2FA325D42F54,SHA256=B1E01999E53DAF16AD00C593778FC3FA1EB1CBDB548FDADC277FD17054C7E1B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490826Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:37.022{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CDF2767CC70DD0A7B69AD8A81B2045,SHA256=0A5873DF9B4EB75DE4FF941AC94F4557B36FC846E3EBCC77C5991C7CCA87341C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490825Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:34.128{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-64030-true2001:500:2f:0:0:0:0:ff.root-servers.net53domain 354300x800000000000000018490824Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:34.026{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52719- 354300x800000000000000018490823Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:34.002{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local52719- 354300x800000000000000018490822Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:34.001{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49787- 354300x800000000000000018490821Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.778{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49414- 354300x800000000000000018490820Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.753{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49414- 354300x800000000000000018490819Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.745{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58859- 354300x800000000000000018490818Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.724{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49738- 354300x800000000000000018490817Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.717{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51615- 354300x800000000000000018490816Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.716{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54719- 354300x800000000000000018490815Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.706{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49177- 354300x800000000000000018490814Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.681{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49177- 354300x800000000000000018490813Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.450{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60546-false10.0.1.12-8000- 354300x800000000000000018490812Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:33.404{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-63238-true2001:500:2d:0:0:0:0:dd.root-servers.net53domain 23542300x80000000000000001253046Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:38.792{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92A3CE25CB659AA55A8ED46788822A2,SHA256=B27F2F87CCBDF2A57E638D323113AA5053B214D00DC4F2942BB29127A606BDF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490830Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:38.028{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF14F373C0325A53A44B0C3D5724C587,SHA256=088FCE789C6DA8C1D84005F8746344BDFB6E9415474B67CA65EB7BA263F886AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253047Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:39.808{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7849663487AAF234C80E9539FC8741B4,SHA256=D80DE4929A6A0947A54D7658A52040A92151C76DD4DAD866983AEAFD57752E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490833Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:39.875{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490832Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:39.034{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E085669BD9B5791876B0C6FE5AD3BB8B,SHA256=17C27D95FA24F7AE6AB40C700B9A7E477E17E9967BD6F067BAF931484277CC11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490831Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:34.879{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-64225-true2001:503:c27:0:0:0:2:30j.root-servers.net53domain 10341000x80000000000000001253075Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253074Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253073Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253072Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253071Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253070Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253069Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253068Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.964{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9784-619B-0609-000000001002}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253067Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253066Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253065Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.964{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-9784-619B-0609-000000001002}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253064Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.964{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9784-619B-0609-000000001002}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253063Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.966{068A336D-9784-619B-0609-000000001002}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253062Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.824{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567283D03353A2C97B67A4ABB4E38837,SHA256=05E3A0C4371374191BA4C5B3BE912CD41FDF5ED2AD003676E9CD130F1B03C0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490834Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:40.040{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4F64A99DACFA807792A97BE11A87A7,SHA256=33B0A8233773216B8E8E486B9614DC2EFF95998EA2733870D762EB28820AE763,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253061Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.464{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9784-619B-0509-000000001002}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253060Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253059Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253058Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253057Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253056Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253055Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253054Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253053Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253052Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.464{068A336D-4F82-619B-0500-000000001002}41692C:\Windows\system32\csrss.exe{068A336D-9784-619B-0509-000000001002}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253051Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253050Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.464{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9784-619B-0509-000000001002}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253049Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:40.465{068A336D-9784-619B-0509-000000001002}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001253048Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:37.236{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-42274-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000018490835Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:41.045{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8919E7C395F7CEF640EE8E95B0633C2,SHA256=6393785C8910C67813C2601CE00B1D72F954FBC413D3E4AECB095D0162AE3351,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253091Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.464{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9785-619B-0709-000000001002}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253090Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253089Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253088Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253087Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253086Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253085Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253084Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253083Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253082Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.464{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253081Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.464{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-9785-619B-0709-000000001002}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253080Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.464{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9785-619B-0709-000000001002}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253079Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.465{068A336D-9785-619B-0709-000000001002}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001253078Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:38.949{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-54118-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253077Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:38.398{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53564-false10.0.1.12-8000- 10341000x80000000000000001253076Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.246{068A336D-9784-619B-0609-000000001002}8361104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018490837Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:42.049{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24DA5F06AC735E90D9B363DDA3FE201,SHA256=711E53A716BE815FE50D104342429A5DCD58C3F8ACB25FF85F8E09B1877DB071,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253092Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:42.167{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3D7F22D338B378398D381E1651DD81,SHA256=32C2D66DC62338089BDA98EC27AAB23D292C865C74606D44CA2B7A58090C8E87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018490836Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:37.731{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-63238-true2001:500:a8:0:0:0:0:ee.root-servers.net53domain 11241100x800000000000000018490847Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:43.856{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\AlternateServices.txt2021-11-15 14:43:45.397 23542300x800000000000000018490846Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:43.856{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\AlternateServices.txtMD5=1801BABE0D8C769209146D7CE78092F5,SHA256=D06DD859F28CF7C31DC4B6A31FF72FAD39C3DC7F5A76E80F3BDC4F7610A94AE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000018490845Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:43.752{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\SiteSecurityServiceState.txt2021-11-15 14:43:45.297 23542300x800000000000000018490844Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:43.751{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\SiteSecurityServiceState.txtMD5=BEFD3C1D72AA43BC8DCA35C9F1C446F2,SHA256=BFD0B1A31713850AB3D66C114F06A8973C48BFB9533D2D95AAC85DC8256ADDBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490843Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:43.641{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490842Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:43.390{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7497DAECADBD29FFF245515089A66045,SHA256=B262CFFE8ECD608DC6002BA755265F64CC73AC21AF62D08EE82FD9B1753D9D28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490841Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:43.390{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=888896DFAA564B2D14E418CF3E9C0455,SHA256=ECE3B9C05D69429FD1892C2893EA899F00E24A77240DF8DBF1CF873A03E19848,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490840Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:43.054{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907CD81FBF37F22274F7FCB50C7DA8C0,SHA256=A8556902796D5FCC7AECC8B1DE6B73BC004DA1E69AC0F97161762E9EEFAE7028,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253106Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.964{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9787-619B-0809-000000001002}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253105Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253104Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253103Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253102Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253101Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253100Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253099Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253098Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253097Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.964{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253096Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.964{068A336D-4F82-619B-0500-000000001002}416532C:\Windows\system32\csrss.exe{068A336D-9787-619B-0809-000000001002}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253095Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.964{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9787-619B-0809-000000001002}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253094Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.965{068A336D-9787-619B-0809-000000001002}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253093Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:43.199{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238066C2D7B17B4E14794FE4318E2F57,SHA256=86D0BA195941C23E225DEB6FF7622A0FACF98347FE421073EB0AF6C4B9C8FA1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018490839Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:39.399{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60547-false10.0.1.12-8000- 354300x800000000000000018490838Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:38.882{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-64405-true2001:500:200:0:0:0:0:bb.root-servers.net53domain 10341000x80000000000000001253123Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.917{068A336D-9788-619B-0909-000000001002}38363480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253122Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.636{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9788-619B-0909-000000001002}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253121Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.636{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253120Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.636{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253119Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.636{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253118Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.636{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253117Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.636{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253116Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.636{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253115Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.636{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253114Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.636{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253113Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.636{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253112Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.636{068A336D-4F82-619B-0500-000000001002}416532C:\Windows\system32\csrss.exe{068A336D-9788-619B-0909-000000001002}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253111Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.636{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9788-619B-0909-000000001002}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253110Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.637{068A336D-9788-619B-0909-000000001002}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001253109Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:41.785{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-47402-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253108Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.246{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003E9724B6E6908C5901903081D1CFC6,SHA256=170E11A62147B2C0F4C108381481F86E9F821472108B9A08F3FB9EB24F94C741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490855Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:44.923{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F84355B8D0B74F4780888E648F48BC2,SHA256=05CA0ADCA9511E73277B8404FA49156CAABF1153237FCDA5C4C70E15E934C490,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490854Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:44.923{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22247E090CDFC130172FA4B0698F8D35,SHA256=E39B54036489F82687D5AB46C3A3E6674D57C13995C8F0A7D5B8DE81DECB7345,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000018490853Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:41.342{CBEA6AB7-55E4-619B-9101-000000000F02}5988trustportaustralia.com.au9002-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018490852Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:40.635{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.weiserware.com1460-C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000018490851Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:44.523{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F82-619B-1500-000000000F02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490850Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:44.522{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F82-619B-1500-000000000F02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490849Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:44.522{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F82-619B-1500-000000000F02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018490848Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:44.061{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABE0E123B52CE5945309093645709C5,SHA256=E960A8625692F283979E23DE65550B98E83F122A0C36FCEBF67CCAF502AC0304,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253107Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.167{068A336D-9787-619B-0809-000000001002}20963936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253139Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.589{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD36547A2E46CFEE266B24A2ADFC6B84,SHA256=12D2DC439754F661C27C795E2003002475A3572CEFED4141059178158578D8CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253138Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:42.638{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-33926-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001253137Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.324{068A336D-9789-619B-0A09-000000001002}23082820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018490857Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:45.066{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FB9900642AA21D971F8F97F350AF5E,SHA256=DDAE79096F8A85523482134C105C49518449A605F0FC107AD96247F6B5A91D73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253136Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.136{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9789-619B-0A09-000000001002}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253135Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253134Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253133Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253132Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253131Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253130Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253129Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253128Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253127Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253126Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.136{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-9789-619B-0A09-000000001002}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253125Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.136{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9789-619B-0A09-000000001002}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253124Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:45.137{068A336D-9789-619B-0A09-000000001002}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018490856Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:41.840{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-58926-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x80000000000000001253141Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:44.382{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53565-false10.0.1.12-8000- 23542300x80000000000000001253140Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:46.449{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B42BB1FB12B93C2D4D23D3C31A4EE7F,SHA256=F31463D91E3B4D7F77D28DC73C6A15F7BA5240A4299253E01919538F210DBAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490858Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:46.077{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92AEBA6B726C048332E58DCA108EFE24,SHA256=418DBBD413C03073FAAE81E60B2939C5F287A0686E973288185EAA68B2BB32D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253143Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:47.480{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9566B96363BBBF2321C756256657C47,SHA256=831D2F4001B934668FC3A09C046A83E0C83DA9986EDEDAD74D9448B893D283EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490859Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:47.080{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9665F0E4F235D2C06DE5F60A8880A2A4,SHA256=3429D2370CB423DA4E4D3151D27D62A66BAF69F59706F3F806B6D0177F7AFE35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253142Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:47.417{068A336D-4F85-619B-1F00-000000001002}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253157Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.496{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217FBA142197738A7D41D7B5674CBDC8,SHA256=938E7084D05C70DE34299ACB6A0E6E375AA65982D66231E71782F8FAED04033F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018490870Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:48.921{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-978C-619B-CF09-000000000F02}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490869Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:48.919{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490868Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:48.919{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490867Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:48.918{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490866Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:48.918{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490865Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:48.917{CBEA6AB7-4F7F-619B-0500-000000000F02}412528C:\Windows\system32\csrss.exe{CBEA6AB7-978C-619B-CF09-000000000F02}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018490864Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:48.917{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-978C-619B-CF09-000000000F02}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018490863Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:48.916{CBEA6AB7-978C-619B-CF09-000000000F02}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018490862Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:48.183{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F84355B8D0B74F4780888E648F48BC2,SHA256=05CA0ADCA9511E73277B8404FA49156CAABF1153237FCDA5C4C70E15E934C490,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490861Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:48.083{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE4744C46FABA28EE813CEBFE3D3F56,SHA256=13D2522D9FA6C27DEF0E5F844CA624428005C3C269EEB6F6CEDC1BB35B4F1F7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253156Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.136{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-978C-619B-0B09-000000001002}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253155Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253154Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253153Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253152Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253151Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253150Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253149Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253148Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253147Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.136{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253146Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.136{068A336D-4F82-619B-0500-000000001002}416532C:\Windows\system32\csrss.exe{068A336D-978C-619B-0B09-000000001002}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253145Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.136{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-978C-619B-0B09-000000001002}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253144Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:48.137{068A336D-978C-619B-0B09-000000001002}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018490860Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:45.021{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-37304-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x80000000000000001253159Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:46.648{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53566-false10.0.1.12-8089- 23542300x80000000000000001253158Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:49.511{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA732E7879219D282DA84AE14282B8F,SHA256=1DAF363B3FA7AA1036F534CDA4BD4D9B6D15D6064B95B8F95305BE60EBF4CEA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490882Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:49.920{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAC9C0FDA63DF0ADED2129B26F5CE295,SHA256=B9DC8AD5DEFBA0CE8647D8A41AA75A5A94BBB906F14527FD85BCE654590CBAB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490881Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:49.811{CBEA6AB7-978D-619B-D009-000000000F02}70647028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490880Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:49.586{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-978D-619B-D009-000000000F02}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490879Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:49.582{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490878Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:49.581{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490877Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:49.581{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490876Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:49.581{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490875Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:49.581{CBEA6AB7-4F7F-619B-0500-000000000F02}4122932C:\Windows\system32\csrss.exe{CBEA6AB7-978D-619B-D009-000000000F02}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018490874Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:49.581{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-978D-619B-D009-000000000F02}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018490873Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:49.580{CBEA6AB7-978D-619B-D009-000000000F02}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018490872Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:49.089{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668721864CB4F6E03597D536ABCEE140,SHA256=B3C41B251AACC40AA7D97CB5B995633BA9A9ACAB753A7CB52D4FE46496195570,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490871Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:45.344{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60548-false10.0.1.12-8000- 23542300x80000000000000001253160Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:50.527{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D8EEEC66DD7F10AFEF5DEBCD5442B9,SHA256=C68F449E31CF170F249443D3A1DBE0F45D774FA70B8254CA1EC5A500C3000F50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018490893Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.250{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-978E-619B-D109-000000000F02}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490892Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.248{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490891Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.248{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490890Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.248{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490889Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.248{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490888Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.247{CBEA6AB7-4F7F-619B-0500-000000000F02}412528C:\Windows\system32\csrss.exe{CBEA6AB7-978E-619B-D109-000000000F02}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018490887Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.247{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-978E-619B-D109-000000000F02}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018490886Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.246{CBEA6AB7-978E-619B-D109-000000000F02}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018490885Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.100{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1573C11E88B48476A4096B180D42D0BD,SHA256=B0F7F35C2D2A8CFEE7C2A4773F42344AA105AA0FF2B786BF065132947C1834C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018490884Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:47.211{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-52670-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018490883Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:46.736{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-64405-true2001:500:2:0:0:0:0:cc.root-servers.net53domain 354300x80000000000000001253162Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:49.892{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-41474-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253161Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:51.558{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153B0294E203B9BEC82FB1C1BA27A49E,SHA256=8D3B0635B8E60CD01E5C04BA0FBAC6B3375FE268BDC416F96092EFEF2EFD88CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018490903Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:51.902{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-978F-619B-D209-000000000F02}7204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490902Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:51.900{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490901Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:51.900{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490900Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:51.899{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490899Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:51.899{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490898Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:51.899{CBEA6AB7-4F7F-619B-0500-000000000F02}412528C:\Windows\system32\csrss.exe{CBEA6AB7-978F-619B-D209-000000000F02}7204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018490897Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:51.899{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-978F-619B-D209-000000000F02}7204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018490896Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:51.896{CBEA6AB7-978F-619B-D209-000000000F02}7204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018490895Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:51.249{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DD3BC42BBCDF3DE6190A4F41B5388DD,SHA256=F56E94996A74172B665FFCC5E9B50231F110CBF1807D9CD06B2D5080D6C7C709,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490894Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:51.105{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE3E85D98E8FBC0D8DF9507012C45D8,SHA256=D900A7D4EE9E2A112EB4044AEC950CC61C972D9A288D980A27E32374FF7E9A75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253163Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:52.578{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067FE786956AC4BFAD24F8EEC85F2234,SHA256=CAD5B6226E8974DC588C04519F1B19370F4CE361FE67805A1D2AF8269B6F4EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490940Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.973{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70331BD0707109E8FDADC32812F73D70,SHA256=E6954F12240F71A6F6C093DC96B4390B0BD45CA6D4649461F2341B44CD70A191,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490939Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.973{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36888D1154DADDF014B8BBE416A90F2C,SHA256=3E143B48F962707CF3F2F3C45715D16D57B609055A8728D61B15D000E2C2CF98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490938Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.808{CBEA6AB7-9790-619B-D309-000000000F02}76566540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490937Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.751{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490936Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.751{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490935Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.739{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+add828|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490934Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.686{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+ae8612|C:\Program Files\Mozilla Firefox\xul.dll+ae1700|C:\Program Files\Mozilla Firefox\xul.dll+ae2546|C:\Program Files\Mozilla Firefox\xul.dll+affd24|C:\Program Files\Mozilla Firefox\xul.dll+a9a009|C:\Program Files\Mozilla Firefox\xul.dll+ae792e|C:\Program Files\Mozilla Firefox\xul.dll+199fa69|C:\Program Files\Mozilla Firefox\xul.dll+18b0d93|C:\Program Files\Mozilla Firefox\xul.dll+18af0cf|C:\Program Files\Mozilla Firefox\xul.dll+1a9abbf|C:\Program Files\Mozilla Firefox\xul.dll+1a99aaf|C:\Program Files\Mozilla Firefox\xul.dll+18ad353|C:\Program Files\Mozilla Firefox\xul.dll+f53a0c|C:\Program Files\Mozilla Firefox\xul.dll+f53ecf|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9 10341000x800000000000000018490933Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.685{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490932Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.685{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490931Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.685{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490930Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.685{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490929Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.684{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490928Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.684{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490927Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.684{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490926Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.684{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490925Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.683{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490924Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.683{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490923Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.681{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490922Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.680{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490921Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.680{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490920Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.658{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439ee|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+e903d5|C:\Program Files\Mozilla Firefox\xul.dll+1a479e3|C:\Program Files\Mozilla Firefox\xul.dll+16f86ad|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+10403c|C:\Program Files\Mozilla Firefox\xul.dll+122cef|C:\Program Files\Mozilla Firefox\xul.dll+1102bee|C:\Program Files\Mozilla Firefox\xul.dll+83b2f8|C:\Program Files\Mozilla Firefox\xul.dll+83ba46|C:\Program Files\Mozilla Firefox\xul.dll+b962fe 10341000x800000000000000018490919Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.658{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439c7|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+e903d5|C:\Program Files\Mozilla Firefox\xul.dll+1a479e3|C:\Program Files\Mozilla Firefox\xul.dll+16f86ad|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+10403c|C:\Program Files\Mozilla Firefox\xul.dll+122cef|C:\Program Files\Mozilla Firefox\xul.dll+1102bee|C:\Program Files\Mozilla Firefox\xul.dll+83b2f8|C:\Program Files\Mozilla Firefox\xul.dll+83ba46|C:\Program Files\Mozilla Firefox\xul.dll+b962fe 10341000x800000000000000018490918Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.657{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e4399c|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+e903d5|C:\Program Files\Mozilla Firefox\xul.dll+1a479e3|C:\Program Files\Mozilla Firefox\xul.dll+16f86ad|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+10403c|C:\Program Files\Mozilla Firefox\xul.dll+122cef|C:\Program Files\Mozilla Firefox\xul.dll+1102bee|C:\Program Files\Mozilla Firefox\xul.dll+83b2f8|C:\Program Files\Mozilla Firefox\xul.dll+83ba46|C:\Program Files\Mozilla Firefox\xul.dll+b962fe 10341000x800000000000000018490917Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.642{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439ee|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+10403c|C:\Program Files\Mozilla Firefox\xul.dll+122cef|C:\Program Files\Mozilla Firefox\xul.dll+1102bee|C:\Program Files\Mozilla Firefox\xul.dll+83b2f8|C:\Program Files\Mozilla Firefox\xul.dll+83ba46|C:\Program Files\Mozilla Firefox\xul.dll+b962fe|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf 10341000x800000000000000018490916Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.642{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439c7|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+10403c|C:\Program Files\Mozilla Firefox\xul.dll+122cef|C:\Program Files\Mozilla Firefox\xul.dll+1102bee|C:\Program Files\Mozilla Firefox\xul.dll+83b2f8|C:\Program Files\Mozilla Firefox\xul.dll+83ba46|C:\Program Files\Mozilla Firefox\xul.dll+b962fe|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf 10341000x800000000000000018490915Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.642{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e4399c|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+10403c|C:\Program Files\Mozilla Firefox\xul.dll+122cef|C:\Program Files\Mozilla Firefox\xul.dll+1102bee|C:\Program Files\Mozilla Firefox\xul.dll+83b2f8|C:\Program Files\Mozilla Firefox\xul.dll+83ba46|C:\Program Files\Mozilla Firefox\xul.dll+b962fe|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf 23542300x800000000000000018490914Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.605{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\wBEiFSkc.zip.partMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490913Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.576{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9790-619B-D309-000000000F02}7656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490912Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.575{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490911Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.574{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490910Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.574{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490909Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.574{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490908Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.574{CBEA6AB7-4F7F-619B-0500-000000000F02}4122932C:\Windows\system32\csrss.exe{CBEA6AB7-9790-619B-D309-000000000F02}7656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018490907Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.574{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9790-619B-D309-000000000F02}7656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018490906Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.573{CBEA6AB7-9790-619B-D309-000000000F02}7656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018490905Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.118{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C32FB863908DF27276FBD6D6C56AB9F,SHA256=D5E9D1D6995624C2782EEBAAD378E64C3D372A73DA45B10DC7C7B237EEA50845,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490904Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.093{CBEA6AB7-978F-619B-D209-000000000F02}72046276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001253166Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:51.376{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-52742-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253165Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:53.594{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4120B4A9A48390F12243DBD545BF26FE,SHA256=6DE5714C8DCA7441D0B91BB729D68A5F01D66CC324A5D60C9639CEB93FE0AAAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018490976Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.919{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9791-619B-D509-000000000F02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490975Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.917{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490974Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.916{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490973Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.916{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490972Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.916{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490971Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.916{CBEA6AB7-4F7F-619B-0500-000000000F02}4122932C:\Windows\system32\csrss.exe{CBEA6AB7-9791-619B-D509-000000000F02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018490970Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.916{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9791-619B-D509-000000000F02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018490969Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.914{CBEA6AB7-9791-619B-D509-000000000F02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018490968Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.905{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA4B6E47D83306D4DFF657440F8F0A31,SHA256=75E46B4A7E03C2B7597CA7BFE793D69F6802E249EC26EAFC08317FC9BEB88303,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490967Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.826{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490966Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.674{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490965Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.419{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490964Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.419{CBEA6AB7-9791-619B-D409-000000000F02}21407392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490963Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.418{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490962Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.358{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490961Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.357{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490960Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.326{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490959Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.325{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490958Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.294{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490957Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.293{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490956Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.263{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490955Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.263{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490954Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.262{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490953Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.262{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490952Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.239{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9791-619B-D409-000000000F02}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490951Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.236{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490950Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.236{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490949Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.236{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490948Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.236{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490947Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.236{CBEA6AB7-4F7F-619B-0500-000000000F02}4122932C:\Windows\system32\csrss.exe{CBEA6AB7-9791-619B-D409-000000000F02}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018490946Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.235{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9791-619B-D409-000000000F02}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018490945Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.235{CBEA6AB7-9791-619B-D409-000000000F02}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018490944Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.229{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018490943Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.229{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 23542300x800000000000000018490942Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:53.125{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F98CE8DC6F713864996994897F0CDC,SHA256=75192EDC9BB00186239B3227458F18BB49C2407344DA3ABA44D8D337A4088382,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253164Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:50.429{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53567-false10.0.1.12-8000- 354300x800000000000000018490941Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:49.346{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-57280-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x80000000000000001253167Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:54.609{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D48CF7414B0C660D126B66B59FF1D7,SHA256=10C8EFCEEB4FB03C82A56805EDFB53D1D3F5CFED5711780D30504D1CFB7A6AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018490991Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:54.919{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92DBB8A972F15786D8D223849BC8A438,SHA256=BA5E97AF9401BE25F7D249E9E4BA3362255EDEC91D894668F5CAEE3D7D099610,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 15241500x800000000000000018490990Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:54.376{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\webbrowserpassview.zip:Zone.Identifier2021-11-22 13:13:52.602MD5=2FFBFC085FAA441E8E80745F39253405,SHA256=0291C65C4D2631CE250E21EDC09DC40DCCA3D873E69AFF919045130077C4E020,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 ReferrerUrl=https://www.nirsoft.net/utils/web_browser_password.html HostUrl=https://www.nirsoft.net/toolsdownload/webbrowserpassview.zip 11241100x800000000000000018490989Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localDownloads2021-11-22 13:13:54.376{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\webbrowserpassview.zip:Zone.Identifier2021-11-22 13:13:52.602 15241500x800000000000000018490988Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:54.373{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\webbrowserpassview.zip2021-11-22 13:13:52.602MD5=506A7E6AB00F2D72BE447E5C1B3B776C,SHA256=3B7C7FF46716908D825E7303DD920A75B30AF8F1D106A154C714473563191C0B,IMPHASH=00000000000000000000000000000000- 23542300x800000000000000018490987Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:54.318{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719D32CA5621E3DF383BF2A3BD123C09,SHA256=C74C9E445ECD0BCD495632C78469FE24D6A058502237AC63D5AD8D34486A4B86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018490986Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:54.309{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6531CA55099B05B41EFD892F3F451911,SHA256=A35B51FD55B68E885AAD8398799676DBA65626590E161B3B07396BB204931D2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018490985Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:54.240{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000018490984Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localDownloads2021-11-22 13:13:54.223{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\webbrowserpassview.zip2021-11-22 13:13:54.223 10341000x800000000000000018490983Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:54.123{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 354300x800000000000000018490982Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:51.066{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60550-false104.75.88.126a104-75-88-126.deploy.static.akamaitechnologies.com443https 354300x800000000000000018490981Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.913{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-33254-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018490980Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.809{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-50234-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018490979Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.578{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60549-false138.128.181.29138-128-181-29.static.hostdime.com443https 354300x800000000000000018490978Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.466{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51813- 354300x800000000000000018490977Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:50.462{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55708- 23542300x80000000000000001253168Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:55.641{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7637A0E7362DEBEEF988791B6309BD57,SHA256=567875A558819BA3D9D4164E032210DA3972BFB53357141903CA4E82ED26D2CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491002Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:55.719{CBEA6AB7-55E4-619B-9101-000000000F02}59886656C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e4d35f|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491001Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:55.715{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x800000000000000018491000Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:55.715{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+ae8612|C:\Program Files\Mozilla Firefox\xul.dll+ae1700|C:\Program Files\Mozilla Firefox\xul.dll+ae2546|C:\Program Files\Mozilla Firefox\xul.dll+affd24|C:\Program Files\Mozilla Firefox\xul.dll+a9a009|C:\Program Files\Mozilla Firefox\xul.dll+ae792e|C:\Program Files\Mozilla Firefox\xul.dll+199fa69|C:\Program Files\Mozilla Firefox\xul.dll+18b0d93|C:\Program Files\Mozilla Firefox\xul.dll+18af0cf|C:\Program Files\Mozilla Firefox\xul.dll+37d84d|C:\Program Files\Mozilla Firefox\xul.dll+f35dd6|C:\Program Files\Mozilla Firefox\xul.dll+f356da|C:\Program Files\Mozilla Firefox\xul.dll+f3586e|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88 10341000x800000000000000018490999Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:55.672{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+add828|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490998Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:55.671{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+add828|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490997Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:55.671{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+add828|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490996Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:55.661{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439ee|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+38be22c|C:\Program Files\Mozilla Firefox\xul.dll+38be5bd|C:\Program Files\Mozilla Firefox\xul.dll+358f931|C:\Program Files\Mozilla Firefox\xul.dll+2c9496d|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+165302a|C:\Program Files\Mozilla Firefox\xul.dll+15f058|C:\Program Files\Mozilla Firefox\xul.dll+1ae3818 10341000x800000000000000018490995Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:55.661{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439c7|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+38be22c|C:\Program Files\Mozilla Firefox\xul.dll+38be5bd|C:\Program Files\Mozilla Firefox\xul.dll+358f931|C:\Program Files\Mozilla Firefox\xul.dll+2c9496d|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+165302a|C:\Program Files\Mozilla Firefox\xul.dll+15f058|C:\Program Files\Mozilla Firefox\xul.dll+1ae3818 10341000x800000000000000018490994Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:55.661{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e4399c|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+38be22c|C:\Program Files\Mozilla Firefox\xul.dll+38be5bd|C:\Program Files\Mozilla Firefox\xul.dll+358f931|C:\Program Files\Mozilla Firefox\xul.dll+2c9496d|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+165302a|C:\Program Files\Mozilla Firefox\xul.dll+15f058|C:\Program Files\Mozilla Firefox\xul.dll+1ae3818 10341000x800000000000000018490993Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:55.654{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+f521c9|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3 23542300x800000000000000018490992Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:55.236{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C528401B89B0E1A548721A27E22137,SHA256=95A77B7F9F204D655F9A50CEE63EF260411A0E433BAB3B8266E8A86B49B6F651,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253169Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:56.656{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5358217E12B14704C632B87D5F63944A,SHA256=C06DD852175C180017EE62CC485AB315774E8BA87C2FF0BCB0B328B0AA3A361A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491016Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:56.671{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x800000000000000018491015Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:56.575{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491014Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:56.575{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491013Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:56.534{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018491012Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.506{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-970.attackrange.local64949-false142.250.185.206fra16s52-in-f14.1e100.net443https 354300x800000000000000018491011Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.505{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local49447- 354300x800000000000000018491010Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.505{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54940- 354300x800000000000000018491009Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:51.343{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60551-false10.0.1.12-8000- 22542200x800000000000000018491008Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.515{CBEA6AB7-55E4-619B-9101-000000000F02}5988sb-ssl.l.google.com02a00:1450:4001:801::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018491007Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.513{CBEA6AB7-55E4-619B-9101-000000000F02}5988sb-ssl.l.google.com0142.250.185.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018491006Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:52.512{CBEA6AB7-55E4-619B-9101-000000000F02}5988sb-ssl.google.com0type: 5 sb-ssl.l.google.com;::ffff:142.250.185.206;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000018491005Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:56.244{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0686D63BDBB579626B8E66CB204F6DE2,SHA256=81DA9E7A5F72C321C758B8BED315A8BE0362315BE4F3003A09B0738CC08959C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491004Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:56.090{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491003Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:56.088{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=CC52112C3813BEBB5EED9EC1A857109B,SHA256=F9161450AC863085517AF14E705E811C084F0301324C1B8E443099148DDED211,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253170Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:57.672{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF26BA8EA591D0C484B76A453EBB59C,SHA256=94EFA0D10B4C1966E3BC5F5FF32723DDDC87C858762391B3A151501AD69D0662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491019Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:57.430{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC63C92513952CDCE1EF47C12B9E1586,SHA256=F3713E5AAE50CFFAF51450FD014D85BEFE89A6E25A6D5D2D7D9562F217095639,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491018Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:57.251{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F8B4EDCE0DED0BD32160835A385BE9,SHA256=D987952BFC000E7621D44258606ECB9E1BCABF7C375EBA2CD4ABF58246484F3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491017Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:57.007{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253171Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:58.687{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8150B8F351A7A896277ECBC3B73F1926,SHA256=87EEF0594D04588DA9C932DA5FC77073C7EE484F960E334EC56964F2C119DC2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491027Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:58.368{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2B00-000000000F02}2968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491026Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:58.368{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2B00-000000000F02}2968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491025Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:58.366{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2B00-000000000F02}2968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491024Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:58.366{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2B00-000000000F02}2968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018491023Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:54.839{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60552-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 354300x800000000000000018491022Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:54.839{CBEA6AB7-4F8F-619B-2700-000000000F02}2892C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60552-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 354300x800000000000000018491021Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:54.513{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-58316-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491020Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:58.256{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A209FFAD763E5811B49B79A9ADEC5C9,SHA256=6DEBACBC7BFEBF9385B514CD287139080B7488774C98C929ABCACF94442AE3D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253173Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:59.703{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB432922603167E32C56A366903FA74,SHA256=9451BDCBF286346BB81EA7D6434A8AADF5FB7E49E6090FAF753BDF7C05A9AAB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491029Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:55.233{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60553-false10.0.1.12-8089- 23542300x800000000000000018491028Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:59.261{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466518A4EB5CA676E94B42DB1E91B4BE,SHA256=30F15BBE937606F30C236AB7B61468FFB000919AABFF726F2BA7C3FB9427B427,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253172Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:13:56.355{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53568-false10.0.1.12-8000- 23542300x80000000000000001253174Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:00.734{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A325433553237A70BB161B257D91377,SHA256=A1013E82102F84D88D4884A48396D043DA8F3837B17FEEBDB3AE04950CEC2CDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491055Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.707{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491054Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.619{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491053Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.615{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491052Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.615{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491051Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.599{CBEA6AB7-5528-619B-5E01-000000000F02}45046396C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491050Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.599{CBEA6AB7-5528-619B-5E01-000000000F02}45046396C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491049Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.599{CBEA6AB7-5528-619B-5E01-000000000F02}45046396C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491048Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.599{CBEA6AB7-5528-619B-5E01-000000000F02}45046396C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491047Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.591{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491046Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.587{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491045Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.583{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491044Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.583{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491043Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.583{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491042Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.579{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000018491041Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localDownloads2021-11-22 13:14:00.547{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\readme.txt2021-11-22 13:14:00.547 10341000x800000000000000018491040Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.539{CBEA6AB7-4F82-619B-1600-000000000F02}13041840C:\Windows\system32\svchost.exe{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491039Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.539{CBEA6AB7-4F82-619B-1600-000000000F02}13041344C:\Windows\system32\svchost.exe{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491038Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.523{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491037Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.523{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491036Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.523{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491035Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.523{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491034Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.523{CBEA6AB7-5525-619B-4D01-000000000F02}1268524C:\Windows\system32\csrss.exe{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491033Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.523{CBEA6AB7-5528-619B-5E01-000000000F02}45046384C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+4f38|C:\Program Files\7-Zip\7-zip.dll+61c5|C:\Program Files\7-Zip\7-zip.dll+698e|C:\Program Files\7-Zip\7-zip.dll+6aa9|C:\Program Files\7-Zip\7-zip.dll+8771|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026 154100x800000000000000018491032Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.524{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe19.007-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Administrator\Downloads\" -an -ai#7zMap23410:114:7zEvent20657C:\Windows\system32\ATTACKRANGE\Administrator{CBEA6AB7-5527-619B-F481-110000000000}0x1181f42HighMD5=04FB3AE7F05C8BC333125972BA907398,SHA256=2FB898BACB587F2484C9C4AA6DA2729079D93D1F923A017BB84BEEF87BF74FEF,IMPHASH=9CF6F80DD6DFE9900700C1E11C318B2A{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x800000000000000018491031Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:13:56.439{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60554-false10.0.1.12-8000- 23542300x800000000000000018491030Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:00.272{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30BDD003A6219F6DBA7F637B39956FE,SHA256=7D02EB403EFE167639F60B081BE80091AFEA6C60D7C58F8C3AD82695E7D77A11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253175Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:01.766{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822552A5258E94551439F52AA28DF9E2,SHA256=AF6CE065259C6012D1B4340512EE97BF89E4A948836B837D2B4F21ED0DBCCE29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491057Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:01.524{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B257AA97DF28654D16A84222F65E1F4,SHA256=FACE4869FDFC92BE087872EFB0C9890142DDADBB2D2C95522F7BE275F48BC18A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491056Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:01.280{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D24AE3B25E64CF2AB5A6D1D8CB1211,SHA256=EA1CE46C6897C9C60E7E91AFE0F4AFE4A5DB35A0CFAFF293DAB409715364196A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253176Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:02.797{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C341CFEDC346A47049650F424C920D,SHA256=04C550F22538220ED722386FB1C474BF23237952701D478B9217224ACC5BB6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491058Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:02.293{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4A8FDDCEE0FFF26446483522BDDEDC,SHA256=D70BA74EC8E37922AAB731DE94CC384D25AD1037DBE4B0ED04CFA3CDA6C850B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253177Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:03.812{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37148C19F2A964CB49D224D66BD2F49F,SHA256=3B9B81C31E0560A06F8BAFC229E1007F50E9E4479AD0CF07BBAF01E769F7F992,IMPHASH=00000000000000000000000000000000falsetrue 254200x800000000000000018491065Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localT10992021-11-22 13:14:03.799{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\WebBrowserPassView.exe2021-04-16 10:36:16.6452021-11-22 13:14:03.799 11241100x800000000000000018491064Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localDownloads2021-11-22 13:14:03.799{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\WebBrowserPassView.exe2021-11-22 13:14:03.799 11241100x800000000000000018491063Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localDownloads2021-11-22 13:14:03.799{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\WebBrowserPassView.chm2021-11-22 13:14:03.799 10341000x800000000000000018491062Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:03.795{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491061Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:03.795{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491060Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:03.795{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-9798-619B-D609-000000000F02}7840C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491059Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:03.294{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F6F93849706E3E60B1F0A586C3FE43,SHA256=BA59C38D60E18D354628708601CA5808D6265E8C19C3D8DDDE40324C7322826D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253178Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:04.844{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1464573C3D54C29CDE93713E922B4A,SHA256=E38FE822AA900F37002760077A4F565DAA6913748B58F15064AAB8D286E26A65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491068Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:01.154{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-44100-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491067Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:04.298{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9780A4A8168C924A30C2269C4C4A4A8,SHA256=6ED9D683AF7C2F6D33DB144DFC03E6F5CC07E73C4454CD70D3A64FA7EE9A7D7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491066Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:04.043{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9DBB13068C994F0613760E8168C6297,SHA256=000F193487935CB0DD8EB83F6D7D4B6E04BDC3BCBE59C101B4572884C28E5B4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253180Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:05.859{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C2EE70842D736B517C1117E3A70024,SHA256=E1591EA6C9FD4D211555F3539EE8E71AC7B5BBA76BF87DC1C8210801C877FA70,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253179Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:02.355{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53569-false10.0.1.12-8000- 23542300x800000000000000018491069Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:05.304{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9458EE4DB225CC0EF670989BA54691,SHA256=15A8FC39605D73B2011587CB572F4A9EF3F81B8AD26C9F71044449AADE1DE287,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253181Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:06.875{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DC98A760407CD3EDB7E13BD4A2C876,SHA256=6467B8B4650F676E711E35F12E9DDD4C3E823C2573D5319D89EA12FAA1953081,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491071Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:02.265{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60555-false10.0.1.12-8000- 23542300x800000000000000018491070Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:06.309{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157AD527E8241ACF591BD1E8FC7BD5E0,SHA256=18AFD71DABCF668731CC8660C2DA6CC5C2AE2E9AF777CBE9A3EF96EFD7CDF5BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253182Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:07.969{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99DF3F1D1B911387A3B1DCD6813FEDF9,SHA256=F03A1B7EB7217DEA5459E47DC0198BA2BF0975D9E4883EA1C9F94E809B5FEA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491075Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:07.781{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491074Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:07.739{CBEA6AB7-55E4-619B-9101-000000000F02}59884704C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+23d0188|C:\Program Files\Mozilla Firefox\xul.dll+22ae5e1|C:\Program Files\Mozilla Firefox\xul.dll+22a8f7a|C:\Program Files\Mozilla Firefox\xul.dll+2e48030|C:\Program Files\Mozilla Firefox\xul.dll+2e614fa|C:\Program Files\Mozilla Firefox\xul.dll+2e41379|C:\Program Files\Mozilla Firefox\xul.dll+2e41095|C:\Program Files\Mozilla Firefox\xul.dll+2e44d7b|C:\Program Files\Mozilla Firefox\xul.dll+2e5c7ed|C:\Program Files\Mozilla Firefox\xul.dll+2e688a8|C:\Program Files\Mozilla Firefox\xul.dll+2e67ca4|C:\Program Files\Mozilla Firefox\xul.dll+2e4bbd0|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000018491073Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:07.735{CBEA6AB7-55E4-619B-9101-000000000F02}59884704C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+23d0188|C:\Program Files\Mozilla Firefox\xul.dll+22ae5e1|C:\Program Files\Mozilla Firefox\xul.dll+22a8f7a|C:\Program Files\Mozilla Firefox\xul.dll+2e48030|C:\Program Files\Mozilla Firefox\xul.dll+2e614fa|C:\Program Files\Mozilla Firefox\xul.dll+2e41379|C:\Program Files\Mozilla Firefox\xul.dll+2e41095|C:\Program Files\Mozilla Firefox\xul.dll+2e44d7b|C:\Program Files\Mozilla Firefox\xul.dll+2e5c7ed|C:\Program Files\Mozilla Firefox\xul.dll+2e688a8|C:\Program Files\Mozilla Firefox\xul.dll+2e67ca4|C:\Program Files\Mozilla Firefox\xul.dll+2e4bbd0|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80 23542300x800000000000000018491072Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:07.311{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F36B458562679412ABADF1D13B189A4,SHA256=E5591BAE5BC9FD09C36DF1ECCFE682EE93E35ABDC9DDA9E3B763F597B19A1FA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491079Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:08.544{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491078Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:08.528{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491077Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:08.528{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491076Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:08.316{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11DC5AAA24ED040A8806435DE08FF3D,SHA256=4A5254E5E37A27FDA6865C023B09E82A8B8B7D5447A416A6EBACA15678324E18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491082Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:09.981{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F481CD887E911E8D7A2FE90CDE232A2,SHA256=7F85DD19DCF8B6B4BD6BCA9B1C2B18E7AB5E4EE6FF4EAE0626F6AA598C7AA2B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491081Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:09.981{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17FBA21441A94DAF7F504F8EA4BA4E97,SHA256=A6B398F631344619CFAC864652A7BF7E27DD5070DE552EF77B742989F40945BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491080Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:09.321{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF56BF75BC49EA6989D5967B359C3EE,SHA256=C46AE876CED331841C6304B2C63C96C56F1B02011AEC94E15FEFDBE69B2F2A2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253183Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:09.156{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C9A0EC4C2F612F68A9E3617443BCB4,SHA256=93C70FA777DE87E2EDAB322F9A1AA39A312D6A7677A6588C09F0807A3633CC54,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491086Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:07.481{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-40602-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018491085Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:07.329{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60556-false10.0.1.12-8000- 354300x800000000000000018491084Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:07.082{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-40310-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491083Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:10.330{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D0E12E399101B20C2AAA7C46B6F689,SHA256=527973648F606FAC20F84F596C8899417BD0FD84008060C06B7C955DC6865C2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253185Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:10.158{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B17464B750CD5E346FABCB2151F432,SHA256=AD5ACF2BBBFF0A63A5E8137072D1B8B0FBD7C92CD4AF55B2A8CD61E1A26968F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253184Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:10.082{068A336D-4F85-619B-1D00-000000001002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\respondent-20211122080631-299MD5=2BDDF39925470B8EC963509AF6294792,SHA256=55F3B8F2085B1B773D0157DE95B74DA236A1C8442DB52BE5C71968FDD2B7F483,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253188Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:08.402{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53570-false10.0.1.12-8000- 23542300x80000000000000001253187Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:11.172{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874D3DA9F3BF5CF93633A0B93527B2C8,SHA256=A3414208017CA5A714E9DDC923539EEA372B0DF3AE6D21C1ED4DD48BCFE2A60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491087Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:11.336{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8486D9FD76BF9EDFD83D84D7EB8D68AE,SHA256=7841844901E6D56F55D4C837C9B6A0498DC53C3CA9BA213E49D555286D5A7CE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253186Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:11.097{068A336D-4F85-619B-1D00-000000001002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\surveyor-20211122080629-300MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491089Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:12.688{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F481CD887E911E8D7A2FE90CDE232A2,SHA256=7F85DD19DCF8B6B4BD6BCA9B1C2B18E7AB5E4EE6FF4EAE0626F6AA598C7AA2B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491088Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:12.337{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF30CD451C2C73EE1127F9014A83B888,SHA256=E37AFAE541BF237F97A1A4303B5061E9990F74AF8494A93787FB55AB2BC1F6A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253189Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:12.181{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042727298FF94C91D2BDA8E7B3045192,SHA256=C2EF725AF343AB269E732167F3E61B1F3A653DD523FCF5855265D98F6B5E9C2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491091Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:09.743{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-44434-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491090Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:13.338{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF773A9A0F933CD6FB942165ADEC558,SHA256=D72676B4677E4852B055E30FAEBB1D5124F185F1F9360C24E7E994FBC6AA611F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253190Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:13.181{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DE087AAC37F2D4A36C6A3DC5DBB16FE,SHA256=75B27CBEC513198B9D7B7CA9F5D24809A0C6BDA3CD9CC27DC295D99BE71262C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491093Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:14.786{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6BA99267E326FF29B8D89EF53A67425,SHA256=A5BE8A4420F28AA8DB3525CA667DAC5CB1A35FD9D8972D0C24DA89AA59FB297B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491092Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:14.343{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC71CD239C38AE817C66B828B063A7D,SHA256=31A555F204428CF19E5C3885E6C0F0F92AA73FBCD1A948A681BC28268C4A0B57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253192Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:12.193{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-33708-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253191Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:14.197{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BD19ADBA0C7FEBFD52F626B84DCE17,SHA256=BA7236F3AB67ADF96F43B4C056775EC00AD1E0F6C5343874E4A9E2BCD6CAE7F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253193Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:15.212{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102F370464FC064BD52F5E61F4CEE25F,SHA256=C22188199626FD2394359675130AD7AB9E4632CF1DACC7A28F5BF1811C958C4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491097Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:12.373{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60557-false10.0.1.12-8000- 354300x800000000000000018491096Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:11.902{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-39410-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018491095Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:11.729{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53571-false10.0.1.14win-dc-970.attackrange.local49672- 23542300x800000000000000018491094Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:15.349{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168C04D9A61A6B78C50E43947D857B9A,SHA256=5598995FD00A574A4D9AA3310D991E704AC263DB42279F2A14BC9724C12E3095,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491098Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:16.354{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7F5FFAE90F004733C325FC2A021894,SHA256=5A72E5577CEE3027C2F46754729043E69403490A462033D88F61541D3F214CAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253195Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:12.733{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53571-false10.0.1.14-49672- 23542300x80000000000000001253194Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:16.212{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C217B1801532C4D67C3CC38AB33E96,SHA256=97D11F5A19DE2312562C79230E414D3E55B32B2A4E4A4391BC677DD585828130,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253198Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:14.349{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53572-false10.0.1.12-8000- 354300x80000000000000001253197Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:13.997{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-60938-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253196Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:17.212{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D4D11D72448D553E3CBB1BD85CA163,SHA256=A729FB7E64FBF976C4E4D32F3F6B36F01637420F6EB437CEE6CFD195436FF208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491099Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:17.355{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F172F9BC1533CC1EF15CCEDB1A35BC23,SHA256=70046FECC196B44E0C474AF93C928BBA83F0D4CDA04BDD256B53973DE9B7C375,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253199Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:18.228{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5AFB1632ECCEA79D2DDDFAA971D20F,SHA256=C11FB49CC8D26912278F3E14414753F6CDB07F416AD1801319E5116660A2F463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491105Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:18.949{CBEA6AB7-4F8F-619B-2E00-000000000F02}1156NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\respondent-20211122080641-299MD5=A1D0D577F42544DD772EFF490FF2796C,SHA256=BAF9C27C7C1429C61A9430176677A01FBBE9BC9408F59946D1FBAFE42606F366,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491104Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:18.942{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2B00-000000000F02}2968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491103Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:18.942{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2B00-000000000F02}2968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491102Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:18.939{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2B00-000000000F02}2968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491101Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:18.939{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2B00-000000000F02}2968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491100Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:18.361{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B71E5F9649E5B0A3316806664C9386,SHA256=9F79CAD18237B1B0BD4C3FB819BCF415D40C0D1F367C1D6567349320D3032732,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253200Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:19.259{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBD2D62EA2B9A7D0F7D7869A66A2CA1,SHA256=373598BB3F30322E40DFFF167B4C802717E3F9C8FA14664CF91E02968CD75179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491109Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:19.948{CBEA6AB7-4F8F-619B-2E00-000000000F02}1156NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\surveyor-20211122080639-300MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491108Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:19.789{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491107Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:19.447{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A26E88AAA0382B0A72F4F352905DC74F,SHA256=27FBD5AA077582CFC049BB304E2334971FA20B22DA646DAFF4C410396A8B444C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491106Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:19.375{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C49827C25CD58E0AB9FFA797EFB96E,SHA256=055AE0A4CB67723F54FB5452B3D9030258D1BD9A4BDC808D1B74D121E6A918DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253201Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:20.494{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5DAD5406E29F02D9BAA94BD2C18BFA,SHA256=854F59C64F2948EEB3795C026703BEB074A098BBD1E0B98DA03ACCA8C06CEF1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491112Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:17.442{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60558-false10.0.1.12-8000- 354300x800000000000000018491111Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:16.167{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-59954-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491110Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:20.376{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A477AA5B528AF99694A49F185CEA6F4,SHA256=67F110A56BD95A945D1CC2C846D18BB031D4A52569035CB8C11390A0D22B481F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253202Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:21.666{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89494D7334D84AB4696874EB09052C41,SHA256=CF375AE871945D92E2E468C793CEC410794139CE90DA566E24FF23DFBE554F4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491138Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.787{CBEA6AB7-4F81-619B-0D00-000000000F02}8925764C:\Windows\system32\svchost.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491137Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.787{CBEA6AB7-4F81-619B-0D00-000000000F02}8925764C:\Windows\system32\svchost.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491136Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.396{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF915A5A952F3DC4F58442727178750,SHA256=F84D949E68B67E1E6ECEC30208D4CE4A8E597FCDA9A574A3A95739AB248E1346,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491135Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.273{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491134Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.199{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491133Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.199{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491132Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.199{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491131Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.197{CBEA6AB7-5528-619B-5E01-000000000F02}45042376C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491130Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.197{CBEA6AB7-5528-619B-5E01-000000000F02}45042376C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491129Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.197{CBEA6AB7-5528-619B-5E01-000000000F02}45042376C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491128Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.195{CBEA6AB7-5528-619B-5E01-000000000F02}45042376C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491127Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.185{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491126Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.181{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491125Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.177{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491124Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.177{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491123Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.177{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491122Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.177{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491121Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.149{CBEA6AB7-4F82-619B-1600-000000000F02}13041840C:\Windows\system32\svchost.exe{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491120Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.149{CBEA6AB7-4F82-619B-1600-000000000F02}13041344C:\Windows\system32\svchost.exe{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491119Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.133{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491118Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.133{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491117Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.133{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491116Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.133{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491115Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.133{CBEA6AB7-5525-619B-4D01-000000000F02}12684868C:\Windows\system32\csrss.exe{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491114Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.133{CBEA6AB7-5528-619B-5E01-000000000F02}45046384C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+4f38|C:\Program Files\7-Zip\7-zip.dll+61c5|C:\Program Files\7-Zip\7-zip.dll+698e|C:\Program Files\7-Zip\7-zip.dll+6aa9|C:\Program Files\7-Zip\7-zip.dll+8771|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026 154100x800000000000000018491113Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:21.134{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe19.007-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Administrator\Downloads\" -an -ai#7zMap25175:114:7zEvent22885C:\Windows\system32\ATTACKRANGE\Administrator{CBEA6AB7-5527-619B-F481-110000000000}0x1181f42HighMD5=04FB3AE7F05C8BC333125972BA907398,SHA256=2FB898BACB587F2484C9C4AA6DA2729079D93D1F923A017BB84BEEF87BF74FEF,IMPHASH=9CF6F80DD6DFE9900700C1E11C318B2A{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001253204Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:22.698{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B9B65E34C2EA9C8B1874C87D2DE563,SHA256=FE77CB357A6775AC6DF9BA519488D350B476CEC3A9E65B8C7F816F065F8CC337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491140Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:22.399{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4F4BA5BEC1421C9C32DD89BDF08804,SHA256=8C14C7AFCD246451933D4A5FF66B4796515CCEE19F671319CECE1CD72BAEFDD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253203Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:19.699{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-45296-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000018491139Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:22.140{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE241D8148E0CF04122F3698127120CE,SHA256=D13C81B1D6CEBF6981018D7630D5336CF4AF03FB49A8BF62F85E84B2117D1D76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253206Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:23.728{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5F0DF4546F1EC46D85C956157DE594,SHA256=7A209FB6B87EC10D6CCDD6D69CCF7FEF43B3A2AFE26CC721CFCBCEE797263480,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491146Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:23.729{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000018491145Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localDownloads2021-11-22 13:14:23.725{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\readme.txt2011-08-11 01:10:03.625 10341000x800000000000000018491144Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:23.721{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491143Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:23.721{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491142Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:23.721{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491141Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:23.408{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5052797674799A22969BDD8BFFAF57,SHA256=D1AF5003850541BA29E20CBC997BEBD89B131FF92519BC5B51E5CA2A381505DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253205Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:20.318{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53573-false10.0.1.12-8000- 23542300x80000000000000001253207Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:24.759{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1241CE49B5D4A36B737DD7FF5903CFF6,SHA256=314FDFBC29D0648E6B683B1083E63C806937C84FC9D6617D8345FA77AB1F541F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491147Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:24.426{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50CAD57B795B67FA82CC564B7970E54,SHA256=F96A812336961DDBED282718DF5D9A7A3C9CBA55899111F9F4ADE1AC2269BE34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253209Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:25.806{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCB6869B86A0903B38AA8EAA1F5CD31,SHA256=85DB8EC1B178CE48E9AC08DC0C2CDDBFF1D5804DA0B7C5BF23AD933478388662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491148Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:25.456{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67023DFCE8997614C749833D848DEE50,SHA256=4F90882FF13B7DD6FC3F8F666A864C9492E115A452626E23BEE43BFBEFDF7B1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253208Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:22.540{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-56190-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253210Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:26.822{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E0ED72568E64E0BA1195F7E5BA0B1B,SHA256=C9B980ED440A6E80946E110EEDBC6E1C177FA7447DC2029756461C0C4CF1A212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491152Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:26.640{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D6BA24366E4363C12683734D7B4FCD0,SHA256=284C6C61B96AB6E52CD35B5708D9B4869CF05E63F4B4B03A88652BE1856CA919,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491151Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:23.429{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60559-false10.0.1.12-8000- 354300x800000000000000018491150Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:22.650{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse112.31.195.234-50997-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491149Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:26.487{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9470BE5B022738B5DE466A878E469DE,SHA256=FE63494B45082636D812076E74DC718650146F6E5A2E027555157B57B26558F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253211Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:27.837{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA13EF4D7B870F961CC8E4031DC4784,SHA256=62FE7B310B0C739B3D1BD3817F980801DAB9321EAB7F1DECFBAD49DE3BE6CBF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491153Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:27.505{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D6717F40FCC4FBA80264DA679F46F6,SHA256=A9739117DBEAF40593095ACEEFEED8C8D59C5C4F85E4BF6AAF1F1A14F11B94F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253213Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:25.505{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53574-false10.0.1.12-8000- 23542300x80000000000000001253212Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:28.869{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B562F05A62DA207DA927C3A6D842C633,SHA256=20B54A7CFA0198EDC3018DE6F55FF8F3684BFD3B7CB901D80A7D1F27E30452BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491160Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:28.523{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FCEB8A94CA23B665A1AA70ECB89859,SHA256=8BEA6641E9FF20D9A6F242EB82FB18369EE3C3F36A93A0BEE36E470795C8F35A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 254200x800000000000000018491159Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localT10992021-11-22 13:14:28.385{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\WebBrowserPassView.exe2021-04-16 10:36:16.6452021-04-16 10:36:16.645 11241100x800000000000000018491158Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localDownloads2021-11-22 13:14:28.370{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\WebBrowserPassView.exe2021-04-16 10:36:16.645 11241100x800000000000000018491157Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localDownloads2021-11-22 13:14:28.370{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\WebBrowserPassView.chm2011-08-11 01:10:03.687 10341000x800000000000000018491156Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:28.370{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491155Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:28.370{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491154Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:28.370{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97AD-619B-D709-000000000F02}6564C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253214Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:29.884{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0780BBDDA83F3EC231328B816747ED,SHA256=B40E55869AC07AECD900DD91C3EBF0FE7E2798B807212256A68BE0E141E5D371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491162Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:29.955{CBEA6AB7-4F82-619B-1100-000000000F02}436NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C9FFF442BD64A3148AB7DD7A304D5914,SHA256=95B8158B495BB4834B6930E8BC6130700D514EB7284656342C21D97197B9271E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491161Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:29.538{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919C85B031B40E6D2A2890D11423CD74,SHA256=4C897EA7A80A4C3AEFB3FCF7FC7BFBA0477B38F42785D4DD7A33C0F6EA26A651,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253215Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:30.900{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF836F0F3763AD8A17E8074DD45C934C,SHA256=25A1F7405EF14FCB437AA964896708592C9664E455EF115F1C63FF046620A154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491173Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:30.540{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9CC051102F1A102013911BBE446F05,SHA256=7D2E16D3C815609946450D79F1F6D384705CC75A50322B2F5F19E08A6D410440,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000018491172Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:14:30.004{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000018491171Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:14:30.004{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x011abeb0) 13241300x800000000000000018491170Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:14:30.004{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7df9a-0x7f934114) 13241300x800000000000000018491169Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:14:30.004{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7dfa2-0xe157a914) 13241300x800000000000000018491168Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:14:30.004{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7dfab-0x431c1114) 13241300x800000000000000018491167Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:14:30.004{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000018491166Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:14:30.004{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x011abeb0) 13241300x800000000000000018491165Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:14:30.004{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7df9a-0x7f934114) 13241300x800000000000000018491164Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:14:30.004{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7dfa2-0xe157a914) 13241300x800000000000000018491163Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:14:30.004{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7dfab-0x431c1114) 23542300x80000000000000001253217Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:31.916{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917B72083225E8CD4E0E857476A0E8C4,SHA256=359A1F41975C09DDFE5DE4AF02C43E9A9E43BE08EABD4459522855C1A3105D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491174Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:31.570{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439D403C9E71D509E0A90A44F0D7CA80,SHA256=17D56C995A60B584916F4F757D8C4CEC00C0B999CF9ADE87E3F186B73F3B7A6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253216Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:31.651{068A336D-4F84-619B-1200-000000001002}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=33E2D3CFD74136019E6BCC6DBE0B4A27,SHA256=F330D4F8AE5CCA3B3D6DC0AAC42214784F2325067E3D2329609D9F09003A0BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253218Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:32.932{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA95A6C523877F48F68C0AC2B3252408,SHA256=123CC6490080AD7C00E40E578E4548E92137763A1849B1EE207E213BC20E565C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491176Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:29.427{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60560-false10.0.1.12-8000- 23542300x800000000000000018491175Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:32.570{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54FA4709054209EF89615767729094C,SHA256=32851C2B7897335A4D71B7CC0D25E809DA87E832EF4916EE0C382DC6A6E9FB8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253220Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:33.963{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3220B157ED59FA5E1C274E11276D01AB,SHA256=59B08DE6D8CD48DAB1DAD6F47C4BE747D8000ED6D62AB58AC34C281296F6D95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491177Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:33.572{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47126C3F0D7AB4A9B52623DDFDBC5009,SHA256=1F693CF64EFC846B51881CA54299FF986E8A038B7FCF685C8BD60C67FCFE1322,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253219Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:31.381{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53575-false10.0.1.12-8000- 23542300x800000000000000018491178Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:34.587{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A921BD922F4A5795474FC3EDD7649E,SHA256=B3CC4A550FE7EBAB93E6CF59C8E3FBAA05B67E24E41F0388F6755ED5C08326B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491183Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:32.685{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-38562-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018491182Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:32.467{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-37216-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491181Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:35.605{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7FE114E0FE45E70D45ED7E6AE5B103,SHA256=FCDC00912C220209A9EA418BD3394C1FE2AD1759C467B19E3EFBC27D4365F18E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253221Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:35.104{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCECA7A78EFFBBFEDDEDD7E848388C4A,SHA256=90C518BCD038BB2125BC253788733A83FFEDDA6A9016319BCE6F40E398923995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491180Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:35.524{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=513EFB5C82BADA91A305A57FA7596777,SHA256=534A45AC7799E1D6732F2CABCB0768A1112C62E5D1EB248941457F61064977CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491179Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:35.524{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD62C2C3AA4975AF5BD691ACB9968996,SHA256=7C1560DFF4F7B67C50D9D52B4F151E1F4A5CE4CB7DCA6A8D04E23116D3076B50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491188Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:33.727{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-41280-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018491187Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:33.575{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53576-false10.0.1.14win-dc-970.attackrange.local49672- 354300x800000000000000018491186Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:32.867{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-38888-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491185Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:36.654{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=513EFB5C82BADA91A305A57FA7596777,SHA256=534A45AC7799E1D6732F2CABCB0768A1112C62E5D1EB248941457F61064977CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491184Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:36.638{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86BF0E9544B2599C9FEB3C4A3DBA6F7E,SHA256=0E9D44856C0883CAE4842FD54CF4B3395F1AE9B9A8FBBCADB7A56E31FB614F45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253222Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:36.135{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C63A2DD08EA0543C82EABE68B6DB55,SHA256=72EF34FBCA8F2DE6C1548C9CEDA48D7AC14673713FC41AAFFD075BE2619C0405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491189Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:37.654{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10ABDFB2F18A950F8F2F84123AB88186,SHA256=AE3E235E43DDD764370975B0914F3A48CD1CBA75C7C0C85D78306F4B86514F77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253224Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:37.354{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A90DF459E4404537DA04E1B68DB3779,SHA256=B3DFE014DE66CF8D4F85BF48ACDDB24349946B3A4811B2CA54FED8381665D439,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253223Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:34.405{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-53000-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253226Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:34.580{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53576-false10.0.1.14-49672- 23542300x80000000000000001253225Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:38.432{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5164C57FE9EA8730F987017B630D867,SHA256=2F85EEC7950694EA1400898F75C81734DC88484D67D2019A99E7D2DC7A2F2A29,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491191Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:35.331{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60561-false10.0.1.12-8000- 23542300x800000000000000018491190Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:38.668{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09BB1B9EEABCE8629F6BEC9CF83E7E1,SHA256=8CBB7113C16F8FC45CA8B482B31091FFF01B04D21FE2C3279A63F006E7235B75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491280Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.709{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA5B112E080B1E551C1EE28387881FD,SHA256=EE9581960A0E09696FC1389176D6B0A1E8639C0175C9953D1C2D8DD9A4D2B9DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253228Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:36.475{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53577-false10.0.1.12-8000- 23542300x80000000000000001253227Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:39.432{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A866780BF44E47FAB4F0A9389DAD77,SHA256=6101999F979FD5E529AF3AC9C30AEA28E9588F495CFC0D15CDBD53B6DF479EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491279Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.663{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B290C7BCA7959622258090DBD535476,SHA256=C6E050A1AAC8DAFB5450B05D5DE6604238DE2D2623A93B6772FDB0CAC7CA224E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491278Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.659{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491277Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.658{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491276Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.658{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491275Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.658{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491274Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.658{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491273Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.658{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491272Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.658{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491271Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.658{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491270Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.658{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491269Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.658{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491268Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.658{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491267Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.658{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491266Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.657{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491265Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.657{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491264Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.657{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491263Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.657{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491262Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.657{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491261Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.657{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491260Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.657{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491259Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.657{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491258Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.657{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491257Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.656{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491256Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.656{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491255Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.656{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491254Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.656{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491253Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.656{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491252Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.656{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491251Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.656{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491250Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.655{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491249Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-4F7F-619B-0B00-000000000F02}6322488C:\Windows\system32\lsass.exe{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491248Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-4F7F-619B-0B00-000000000F02}6322488C:\Windows\system32\lsass.exe{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491247Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491246Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491245Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491244Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491243Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491242Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491241Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491240Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491239Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491238Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491237Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491236Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491235Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491234Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491233Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491232Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491231Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491230Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491229Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491228Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491227Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491226Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491225Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491224Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491223Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491222Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491221Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491220Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491219Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.552{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491218Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.505{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491217Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.505{CBEA6AB7-5528-619B-5E01-000000000F02}45042376C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491216Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.505{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491215Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.505{CBEA6AB7-5528-619B-5E01-000000000F02}45042376C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491214Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.505{CBEA6AB7-5528-619B-5E01-000000000F02}45042376C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491213Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.505{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491212Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.503{CBEA6AB7-5528-619B-5E01-000000000F02}45042376C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491211Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.483{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491210Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.483{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491209Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.483{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491208Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.483{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491207Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.483{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491206Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.483{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491205Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.405{CBEA6AB7-4F82-619B-1600-000000000F02}13041840C:\Windows\system32\svchost.exe{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491204Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.405{CBEA6AB7-4F82-619B-1600-000000000F02}13041344C:\Windows\system32\svchost.exe{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491203Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.320{CBEA6AB7-4F82-619B-1300-000000000F02}4045768C:\Windows\System32\svchost.exe{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000018491202Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localInvDBSetValue2021-11-22 13:14:39.320{CBEA6AB7-4F82-619B-1300-000000000F02}404C:\Windows\System32\svchost.exeHKU\S-1-5-21-492600379-461247840-3315989157-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\WebBrowserPassView.exeBinary Data 10341000x800000000000000018491201Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.320{CBEA6AB7-4F82-619B-1300-000000000F02}4041000C:\Windows\System32\svchost.exe{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491200Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.320{CBEA6AB7-4F82-619B-1300-000000000F02}4041000C:\Windows\System32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491199Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.320{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491198Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.320{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491197Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.320{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491196Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.320{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491195Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.320{CBEA6AB7-5525-619B-4D01-000000000F02}12684868C:\Windows\system32\csrss.exe{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491194Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.320{CBEA6AB7-5528-619B-5E01-000000000F02}45041096C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491193Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.319{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe2.11Web Browser Password Viewer-NirSoft-"C:\Users\Administrator\Downloads\WebBrowserPassView.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{CBEA6AB7-5527-619B-F481-110000000000}0x1181f42HighMD5=F3D20449BAB41301AEFAD304CB02773B,SHA256=C41216EEE9756A1DCC546DF4FE97DEFC05513EED64CE6AC05F1501B50E6F96CC,IMPHASH=6CDE2F49ECF3CC2F14739BABAA8FD75F{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000018491192Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:39.021{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F1C2ECA98213A56ABBD3BEB39BBDA69,SHA256=A0029D1DF39EF4D9C9E598E64B4540225B3CA9310AFC6390914C9841813CC73B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491283Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:36.097{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-44496-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491282Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:40.711{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64465F7351F36DED957E9445C20F2D0E,SHA256=778FF19CC1E1836792B1D25DD401518BBD5EAF7727D06BEB25968BB8FB5FFD70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253244Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.823{068A336D-97C0-619B-0C09-000000001002}8443884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001253243Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:37.694{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-38898-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001253242Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.463{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-97C0-619B-0C09-000000001002}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253241Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253240Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253239Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253238Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253237Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253236Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253235Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253234Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253233Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253232Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.463{068A336D-4F82-619B-0500-000000001002}416532C:\Windows\system32\csrss.exe{068A336D-97C0-619B-0C09-000000001002}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253231Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.463{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-97C0-619B-0C09-000000001002}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253230Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.464{068A336D-97C0-619B-0C09-000000001002}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253229Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.448{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C72B61CAAF83EE07EB7AC7B4B585CF1,SHA256=C005C960C2844B0CE2D6BF18A8386E6BA5BC337E327DE5AF61C3D40FC77188E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491281Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:40.312{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=501D10D6606188587FF5282CB1139419,SHA256=2DCA82685D71C33D5FC3FAA843B6A199ED8844CD53B17B54A3AF5AA8AA99A238,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491319Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491318Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491317Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491316Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491315Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491314Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491313Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491312Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491311Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491310Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491309Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491308Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491307Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491306Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491305Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491304Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491303Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491302Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491301Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491300Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491299Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491298Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491297Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491296Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491295Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491294Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491293Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491292Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491291Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491290Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491289Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491288Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491287Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491286Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491285Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.792{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491284Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:41.730{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3288F88C725963AB3B1A04B3BDA2C864,SHA256=9C4640AF079A8FD77A1E167596C424618CEA31710EEF40254BC9625B083FE1AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253258Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.495{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B3986DC34FCFAB0E131DAA889FC1AE,SHA256=7D07A05C018B645380FE1B31BCF7DFF520341EF003EE8CE53CBE317CA4E4B393,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001253257Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.354{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-97C1-619B-0D09-000000001002}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253256Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.354{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253255Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.354{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253254Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.354{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253253Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.354{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253252Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.354{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253251Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.354{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253250Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.354{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253249Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.354{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253248Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.354{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253247Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.354{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-97C1-619B-0D09-000000001002}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253246Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.354{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-97C1-619B-0D09-000000001002}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253245Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.355{068A336D-97C1-619B-0D09-000000001002}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253272Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.588{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079D23BDE9355FBB5D8B713646128E4B,SHA256=EEA9452F9A1E3203CF424FF0BE20464F481F6EBC0F16FA6DE1DEA6C2E6D6AFB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001253271Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.026{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-97C2-619B-0E09-000000001002}440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253270Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.026{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253269Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.026{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253268Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.026{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253267Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.026{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253266Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.026{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253265Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.026{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253264Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.026{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253263Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.026{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253262Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.026{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253261Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.026{068A336D-4F82-619B-0500-000000001002}416532C:\Windows\system32\csrss.exe{068A336D-97C2-619B-0E09-000000001002}440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253260Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.026{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-97C2-619B-0E09-000000001002}440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253259Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.027{068A336D-97C2-619B-0E09-000000001002}440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001253288Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.963{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-97C3-619B-0F09-000000001002}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253287Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.963{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253286Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.963{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253285Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.963{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253284Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.963{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253283Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.963{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253282Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.963{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253281Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.963{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253280Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.963{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253279Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.963{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253278Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.963{068A336D-4F82-619B-0500-000000001002}41692C:\Windows\system32\csrss.exe{068A336D-97C3-619B-0F09-000000001002}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253277Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.963{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-97C3-619B-0F09-000000001002}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253276Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.964{068A336D-97C3-619B-0F09-000000001002}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253275Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:43.682{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28D2BCF64017E2B5A8C107EAFC1E825,SHA256=3F75A658785883513E3A6A7A7521B2669AD34D1606D2E66F39C023D94965E9AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491322Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:40.370{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60562-false10.0.1.12-8000- 23542300x800000000000000018491321Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:43.691{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491320Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:43.191{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B2239C43F6BCFBFD0019379E665EED,SHA256=6839D2BD0CF61A02C05DAF662D7BE58B0AE81896730CF5042B20D5A49ECD4260,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253274Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.454{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-34054-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253273Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:40.422{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-33998-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001253319Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.979{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-97C4-619B-1109-000000001002}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253318Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.979{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253317Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.979{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253316Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.979{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253315Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.979{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253314Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.979{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253313Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.979{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253312Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.979{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253311Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.979{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253310Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.979{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253309Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.979{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-97C4-619B-1109-000000001002}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253308Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.979{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-97C4-619B-1109-000000001002}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253307Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.980{068A336D-97C4-619B-1109-000000001002}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253306Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.916{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9CBD0AFBF781BF40DBAF5CF8088EEC,SHA256=0DC4EB65CABD64004C05D30955B932683AA872C2378109625F1060E8C6BAA982,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253305Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:42.444{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53578-false10.0.1.12-8000- 354300x80000000000000001253304Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:41.006{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-46182-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001253303Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.745{068A336D-97C4-619B-1009-000000001002}836960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491323Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:44.228{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C109139E830B2706320CC0131F0780C7,SHA256=41B564FBDD3EF637289A3F682013D5EFDBCD778C273F7361C9FFD34B048CE988,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253302Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.463{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-97C4-619B-1009-000000001002}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253301Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253300Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253299Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253298Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253297Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253296Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253295Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253294Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253293Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.463{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253292Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.463{068A336D-4F82-619B-0500-000000001002}416532C:\Windows\system32\csrss.exe{068A336D-97C4-619B-1009-000000001002}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253291Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.463{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-97C4-619B-1009-000000001002}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253290Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.464{068A336D-97C4-619B-1009-000000001002}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001253289Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:44.182{068A336D-97C3-619B-0F09-000000001002}2083460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253321Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:45.807{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606F59DBA3CC713EFB240F5AA48100CB,SHA256=45C590BFF67E6B76B2B825F34A50A2BCA0CAFB11393C826327E135D728C36262,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491327Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:45.373{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491326Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:45.358{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491325Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:45.358{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491324Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:45.242{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0CEAB681D1B0CC6470BF7E32E81882,SHA256=7CA645A732CD824CCDF76C348635FFDE57D5C0D4A6D716BF6C64A31C7E821EC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253320Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:45.229{068A336D-97C4-619B-1109-000000001002}21563472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253322Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:46.870{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38706616211B49FC436DDA5164AF479C,SHA256=4E6CCC0948DFFCD8D17448DBB8C409D726573BAFDC39032EDBB4C38757960277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491328Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:46.258{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361E3BC46C8FD6353BC1D6BBB8C8449B,SHA256=7FC4C78B2CAC814192A5AAA03E2A69414153629677ADD3AFADEF8EDB012FB3BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253324Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:47.932{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C495F2EC066EAB54E785A2EB2589D51C,SHA256=4A3A0433434209B7FD792B29A12A061C2C62C2F7DB52A16E678C89D2C568F014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253323Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:47.448{068A336D-4F85-619B-1F00-000000001002}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491329Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:47.272{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A6687316D82594D32BA185CD923494,SHA256=F82D046822E0C6075DA286BE77678383E872C0CF5138C863D3A52F7FEE4DD47F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253337Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.135{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-97C8-619B-1209-000000001002}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253336Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.135{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253335Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.135{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253334Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.135{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253333Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.135{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253332Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.135{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253331Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.135{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253330Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.135{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253329Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.135{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253328Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.135{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253327Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.135{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-97C8-619B-1209-000000001002}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253326Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.135{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-97C8-619B-1209-000000001002}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253325Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.136{068A336D-97C8-619B-1209-000000001002}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018491338Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:48.924{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-97C8-619B-D909-000000000F02}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491337Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:48.924{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491336Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:48.924{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491335Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:48.924{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491334Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:48.924{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491333Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:48.924{CBEA6AB7-4F7F-619B-0500-000000000F02}412480C:\Windows\system32\csrss.exe{CBEA6AB7-97C8-619B-D909-000000000F02}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491332Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:48.924{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-97C8-619B-D909-000000000F02}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491331Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:48.925{CBEA6AB7-97C8-619B-D909-000000000F02}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018491330Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:48.287{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B91E2CBCB42DE4058CE60E3C63587C2,SHA256=E8E1B170183B2C96AD10864EC5FECA8C149F3B079A5D33FBAFC35A812FA18CBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253339Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:49.151{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC24D2133117CA56F9610974FFF35FF9,SHA256=12141B0ABBB1800DD52D7E483828CD69CDAF8636C91BE204786241EBAAF38226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491351Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:49.924{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AEBFE546A9DAF1E0B7EE863E871C039,SHA256=0DACACFE60E4011003A63904D529C8A0F8490E2187F93093FECD6F744992D656,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491350Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:49.924{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4187C581C81FDED5402E17AB1E2C533,SHA256=588AFF02677EBC1A7C91F1A405F7EEB6A0B2F2492456DF1C3010E9C655306175,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491349Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:49.439{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-97C9-619B-DA09-000000000F02}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491348Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:49.439{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491347Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:49.439{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491346Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:49.439{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491345Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:49.439{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491344Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:49.439{CBEA6AB7-4F7F-619B-0500-000000000F02}4122932C:\Windows\system32\csrss.exe{CBEA6AB7-97C9-619B-DA09-000000000F02}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491343Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:49.439{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-97C9-619B-DA09-000000000F02}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491342Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:49.440{CBEA6AB7-97C9-619B-DA09-000000000F02}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018491341Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:49.306{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEF5942AB8AAABB4373D1C526252886,SHA256=D78489BF991022C928AC3434F2A6A96211A3CAB34B7381BA9137011E283CC1CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253338Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:46.678{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53579-false10.0.1.12-8089- 354300x800000000000000018491340Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:45.482{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60563-false10.0.1.12-8000- 10341000x800000000000000018491339Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:49.103{CBEA6AB7-97C8-619B-D909-000000000F02}71127064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253341Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:50.307{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3243B5A6D40FD7317440564B0FF3DFC4,SHA256=16F2E495BB9BC3B89FA39A021C888A7E260B2B8A253887215AD312EBDD827871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491363Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:50.606{CBEA6AB7-5528-619B-5E01-000000000F02}45044604C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8032C868D08)|UNKNOWN(FFFFAA62CB725B48)|UNKNOWN(FFFFAA62CB725CC7)|UNKNOWN(FFFFAA62CB720351)|UNKNOWN(FFFFAA62CB721D1A)|UNKNOWN(FFFFAA62CB71FFD6)|UNKNOWN(FFFFF8032C581103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000018491362Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:50.606{CBEA6AB7-5528-619B-5E01-000000000F02}45044604C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8032C868D08)|UNKNOWN(FFFFAA62CB725B48)|UNKNOWN(FFFFAA62CB725CC7)|UNKNOWN(FFFFAA62CB720351)|UNKNOWN(FFFFAA62CB721D1A)|UNKNOWN(FFFFAA62CB71FFD6)|UNKNOWN(FFFFF8032C581103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491361Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:50.605{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF11b0f22.TMPMD5=CEFA209DEC3F5881F515D84B472D55C6,SHA256=5E86F15B6F5DF1DF26A2D5D1D0F09756F0C2A2889AA5CA47A1320CC00C52B59B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491360Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:50.324{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9981FFB96E3F811F0DF6B3A8EA05F9D9,SHA256=5010FD6EE5AB90BB1F2423B568CAA7DC57948646B5183DED256386080928FEA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253340Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:47.445{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53580-false10.0.1.12-8000- 10341000x800000000000000018491359Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:50.040{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-97CA-619B-DB09-000000000F02}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491358Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:50.040{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491357Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:50.040{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491356Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:50.040{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491355Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:50.040{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491354Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:50.040{CBEA6AB7-4F7F-619B-0500-000000000F02}412528C:\Windows\system32\csrss.exe{CBEA6AB7-97CA-619B-DB09-000000000F02}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491353Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:50.040{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-97CA-619B-DB09-000000000F02}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491352Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:50.041{CBEA6AB7-97CA-619B-DB09-000000000F02}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018491373Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:51.922{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-97CB-619B-DC09-000000000F02}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491372Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:51.922{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491371Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:51.922{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491370Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:51.922{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491369Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:51.922{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491368Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:51.922{CBEA6AB7-4F7F-619B-0500-000000000F02}412428C:\Windows\system32\csrss.exe{CBEA6AB7-97CB-619B-DC09-000000000F02}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491367Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:51.922{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-97CB-619B-DC09-000000000F02}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491366Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:51.923{CBEA6AB7-97CB-619B-DC09-000000000F02}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018491365Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:51.339{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAE47CC57639ABCFC312247FB99E43C,SHA256=9358452C97D8E163094EB719E91FECE0496493590E81EEB2C0E30C10433A371A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253342Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:51.323{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4281364E78B104483AE2953D937B1CF6,SHA256=6E6D450D2CAE2040CB7E939C90175BCF0AD29A35A77AF318A77696068BD6839F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491364Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:51.055{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AEBFE546A9DAF1E0B7EE863E871C039,SHA256=0DACACFE60E4011003A63904D529C8A0F8490E2187F93093FECD6F744992D656,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253344Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:52.337{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7630C5FFCEBBC67C69091A61C11FE121,SHA256=D6A10DFF906530EEA45653F90AB953FA87056E1A8E793EE84E3565DFF4EBC319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491385Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:52.937{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D83631466429AEDE90C359FD4CCAD2E,SHA256=AD64791056C522EBDF1B1A867C87E46383C86370AB2D1E28604B669E348FE8E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491384Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:52.784{CBEA6AB7-97CC-619B-DD09-000000000F02}47767392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491383Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:52.605{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-97CC-619B-DD09-000000000F02}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491382Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:52.603{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491381Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:52.603{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491380Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:52.603{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491379Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:52.602{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491378Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:52.602{CBEA6AB7-4F7F-619B-0500-000000000F02}412528C:\Windows\system32\csrss.exe{CBEA6AB7-97CC-619B-DD09-000000000F02}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491377Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:52.602{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-97CC-619B-DD09-000000000F02}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491376Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:52.601{CBEA6AB7-97CC-619B-DD09-000000000F02}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018491375Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:52.353{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E73A32A6382F1610066DA38A7F4FB4D,SHA256=CBFED1FA8B10BB796930D79169B003BABE0EC75A78052D91F112AD3153ABF88F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491374Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:52.085{CBEA6AB7-97CB-619B-DC09-000000000F02}67007656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001253343Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:48.926{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-34656-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253345Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:53.353{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4545ED5D2203BE970354F682B0DEA3,SHA256=E1231E9AC893189CD0AC2591FB7076F2A54F885FCAD63E1F3A92A396CC8A9E38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491409Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.921{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-97CD-619B-DF09-000000000F02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491408Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.921{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491407Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.921{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491406Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.921{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491405Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.921{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491404Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.921{CBEA6AB7-4F7F-619B-0500-000000000F02}4122932C:\Windows\system32\csrss.exe{CBEA6AB7-97CD-619B-DF09-000000000F02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491403Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.921{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-97CD-619B-DF09-000000000F02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491402Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.921{CBEA6AB7-97CD-619B-DF09-000000000F02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018491401Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.905{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491400Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.905{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491399Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.905{CBEA6AB7-5528-619B-5E01-000000000F02}45047696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491398Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.905{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491397Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.905{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491396Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.905{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491395Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.905{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491394Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.368{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20ECA01AAC5DE6E2663AB1C91F3D7056,SHA256=2076BA0621E6DAC019AB47337071EBAA36AF6D6F315AD7D4E03F2C42A0B9EC50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491393Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.284{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-97CD-619B-DE09-000000000F02}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491392Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.284{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491391Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.284{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491390Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.284{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491389Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.284{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491388Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.284{CBEA6AB7-4F7F-619B-0500-000000000F02}412480C:\Windows\system32\csrss.exe{CBEA6AB7-97CD-619B-DE09-000000000F02}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491387Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.284{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-97CD-619B-DE09-000000000F02}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491386Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:53.284{CBEA6AB7-97CD-619B-DE09-000000000F02}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253346Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:54.368{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619D153B442F517A2C476CB0E01D02FF,SHA256=F6CFA877B833FAAC4F30C4F96BB2F1481063629192B6421F7BE2EB86F8A9CCB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491430Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.604{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491429Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.604{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491428Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.603{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491427Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.603{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491426Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.603{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491425Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.583{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491424Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.583{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491423Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.583{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491422Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.583{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491421Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.583{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018491420Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.567{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491419Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.567{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491418Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.567{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491417Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.567{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491416Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.567{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491415Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.567{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491414Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.567{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5479|C:\Program Files\Mozilla Firefox\xul.dll+dc68ef|C:\Program Files\Mozilla Firefox\xul.dll+10eafb6|C:\Program Files\Mozilla Firefox\xul.dll+dc33ed|C:\Program Files\Mozilla Firefox\xul.dll+da81b0|C:\Program Files\Mozilla Firefox\xul.dll+1e87152|C:\Program Files\Mozilla Firefox\xul.dll+1971ffb|C:\Program Files\Mozilla Firefox\xul.dll+1974171|C:\Program Files\Mozilla Firefox\xul.dll+170b7e6|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1ae0eae|C:\Program Files\Mozilla Firefox\xul.dll+170bc7a|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1ae0eae|C:\Program Files\Mozilla Firefox\xul.dll+170884e|C:\Program Files\Mozilla Firefox\xul.dll+17f9031|C:\Program Files\Mozilla Firefox\xul.dll+1a03190|C:\Program Files\Mozilla Firefox\xul.dll+19ff089 23542300x800000000000000018491413Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.383{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52928A6569C3B6F6473A89DE096A51A9,SHA256=7114C0168B193BCE5F614664996B97D73ACE6FD5A7D71C08C9E5525D6E97ECE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491412Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:51.377{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60564-false10.0.1.12-8000- 23542300x800000000000000018491411Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.303{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08D422C349FCEC465192CADF38BADB87,SHA256=233E74402ABC95ED9E046CA678F85F8E0D21DC80028D872F7D03EDE2857EE161,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491410Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.105{CBEA6AB7-97CD-619B-DF09-000000000F02}35367108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001253348Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:53.333{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53581-false10.0.1.12-8000- 23542300x80000000000000001253347Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:55.384{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2BAA7A2D45971208C18E7FA8B3CA08,SHA256=777A5280DB2E83B2CFF7935819F542AD74AC339BD8026B28184794A12D5D6917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491431Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:55.404{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F2607236A420EC84EC058BC795025B,SHA256=C0C71EE68167BC86010B2D287AA04BB2DD226B36E92F71B55A9B37F4DD7233DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253349Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:56.384{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5121EED68C8048632359F2A13FDE5CEE,SHA256=513EFDCD11FFCB0FE6A37DF4D5F4026BC49A4E1DC5EB5F3B4E6389FA65099939,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491433Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:56.584{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5337|C:\Program Files\Mozilla Firefox\xul.dll+7ee969|C:\Program Files\Mozilla Firefox\xul.dll+7e2b8a|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491432Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:56.419{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865721BA553435357FB9B21606BDE6EC,SHA256=6EC1AA12B1485C81DCD5C3A009F21264C6D1C4FD752611E0B185B85FC80B0108,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491436Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:57.618{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F253A8EE385B82D3EC72076A4B75713C,SHA256=FB946AF4DCE9398F0125EF5ADD5F1BA8900C93FF697F116B5BC736E99CD6476D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491435Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:57.434{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003AFBE11175540489034C15CC11AD6D,SHA256=04794E44841CCD895AD28D0817283E57AD49E18D802BBD7A56D3EBB382A8D069,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253350Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:57.493{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4DFE4C9C3C12A9BB2387ED09ED5BD6,SHA256=9CA501EBCD6C3E9334EB767731C4D4F65BFFE5ECDEF91259D3DF74E097096277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491434Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:57.019{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491439Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.840{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60565-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 354300x800000000000000018491438Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:54.840{CBEA6AB7-4F8F-619B-2700-000000000F02}2892C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60565-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 23542300x800000000000000018491437Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:58.449{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCEA87BB9EA1C43B0E273668BED5F09,SHA256=BEE0F72F0E34D48353BCC7EA09F61E77DDDC6E6352D6259B0609431EBF0E08B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253351Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:58.509{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3768F4322DC941AC62C32EC43FDE7BFF,SHA256=E6C33854A05DF0C2D20D96C954CED1B027DABAA46B93E66E66C4A30463E22C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253352Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:59.525{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3998A0C5D6CC8AF4730CC0CB0984235,SHA256=6988BC4AADEFB762DBACE5CBBFBEE65428ACD6C8693C294A063D27C0B2ECF49F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491442Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:55.260{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60566-false10.0.1.12-8089- 23542300x800000000000000018491441Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:59.464{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FFB5539E0811E75AB72B8F6FA4DC88,SHA256=43DBAB915E3D396E15C59010FB12A5BE04F4A7219060986EED7B5DDD7131CD45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491440Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:59.432{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=005CB27684060BE689750638C40E244A,SHA256=7D6F43958208C8B4F036B6EB621FDD6BAFC047372B91AD14B95140A9BDEF337E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253354Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:58.190{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-48612-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253353Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:00.540{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB11E6763556B99C1D78AB76FD980A0,SHA256=98CCDCBB43D0A0D841914F31D483598B554F174D721A3EB29DBB37EC676E91CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491445Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:57.389{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60567-false10.0.1.12-8000- 354300x800000000000000018491444Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:14:56.543{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-51834-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491443Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:00.478{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8034EECD91BF629C916FE423151AE4,SHA256=3D44ED9402BC61A1E96B646A603E36EF60133AE16E04C9109AA10ABA0E0AD5A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253356Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:58.505{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53582-false10.0.1.12-8000- 23542300x80000000000000001253355Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:01.556{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFD89B47290D48592AC3621A6075696,SHA256=DDF2EAC597A3F3757542CAE4D62926AF1E2A73A968AB9EFD785EA408411ED30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491446Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:01.497{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF382AFA1876743A2A3E3FED22C7A11,SHA256=54F4A4E063E658C41FA723D7FF3291D04C9D98EC2B130285E3DFFFC793F1021F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253359Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:00.628{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-60228-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253358Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:14:59.908{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-48154-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253357Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:02.571{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B9958F790024F193ABD2DC36E42844,SHA256=5921DE5C7E9DA79D91DFFB96070FC359FF7B1273E1BECE676DF3FBD3356BBF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491447Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:02.515{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DC94CE05E9CFDBEB13FBDEB179444C,SHA256=3D63C2CEDA5599AA2006BF8DAFB14FCB23AABC0BD68D966508E6E3F385E3D70D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253361Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:01.136{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-55366-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253360Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:03.618{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E38F6DFE93215D48E77B5B1D07FAE6D,SHA256=F3FCB3739B1CAC8A04567228CD3178107C05CE7774D93AC775C4587F60047546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491507Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.845{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8C874B11142C1A62E00C4316F516E9,SHA256=F32BB9B80DA4C37C18A7004CAA6AEA6E3B04C5DDDD3757243C6B96F6E0923683,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491506Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491505Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491504Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491503Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491502Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491501Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491500Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491499Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491498Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491497Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491496Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491495Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491494Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491493Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491492Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491491Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491490Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491489Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491488Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491487Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491486Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491485Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491484Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491483Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491482Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491481Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491480Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491479Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491478Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491477Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491476Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491475Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491474Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491473Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491472Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491471Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.630{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491470Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491469Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491468Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491467Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491466Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491465Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491464Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491463Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491462Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491461Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491460Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491459Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491458Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491457Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491456Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491455Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491454Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491453Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491452Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491451Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491450Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491449Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.614{CBEA6AB7-97BF-619B-D809-000000000F02}63767076C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 23542300x800000000000000018491448Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:03.530{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546E88C622CE4781FAC1F0A592324122,SHA256=D2CA1A2662A95803A881A9E0185443DBE763FA445C0CE1B758F6DE8D0AA0E90D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491510Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:01.394{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-42672-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491509Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:04.544{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95AA4E3215D7BF3C979BC4A803E0889,SHA256=E70F2B516FC1E2C02029ED4D2EC237A8CC32F1DC33C3A6CD61070D90BC6F47B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253362Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:04.634{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15A7DE1F1FB4C142524D1CAABBF9780,SHA256=AAD8F08B7A2020E66371935004007C3BC7B1A7C20E2374CF289A31F0419399FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491508Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:04.294{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=135655D11B524449CF6D9CD43FEFBE52,SHA256=529F9CE31ABF12118AEE81AACD6F5795BB7AA0E423C9DBAC2BF47310301F2A2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491512Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:02.454{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60568-false10.0.1.12-8000- 23542300x800000000000000018491511Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:05.559{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A33791DCD6E40027C935E5C86B2C276,SHA256=3538C685F11A530BBA5445C2E7896EC7A3CEFF41B78FCA6A42BF01D6131E0170,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253363Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:05.650{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC7E0C2613F32F44B39E4A01C343DB1,SHA256=CCFF767B0E328B10A1477B6F05E2375E0F94EDD9B0860C6F0D9711E574B2AC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491513Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:06.573{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91576CB40B3C4B8E2BFAA169D9A85014,SHA256=0BA407CC33026D100C854C57BC3140D19922EF1D535EA61575400BD33C6EE7C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253364Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:06.650{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73F51711E3838FAA576D696D9C34309,SHA256=2D9BBEAE5D02AC89A91EF777D273CB14DB83604C8E8775DA82583A7FCA01B36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253366Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:07.665{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6C3A0D6F651320F53AD6178C5EBBE1,SHA256=FFF4797FB677E490E4CE38C0FAF00CF3B2053FBB3AC43E0F3A59749E04A62B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491519Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:07.791{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491518Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:07.741{CBEA6AB7-55E4-619B-9101-000000000F02}59884704C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+23d0188|C:\Program Files\Mozilla Firefox\xul.dll+22ae5e1|C:\Program Files\Mozilla Firefox\xul.dll+22a8f7a|C:\Program Files\Mozilla Firefox\xul.dll+2e48030|C:\Program Files\Mozilla Firefox\xul.dll+2e614fa|C:\Program Files\Mozilla Firefox\xul.dll+2e41379|C:\Program Files\Mozilla Firefox\xul.dll+2e41095|C:\Program Files\Mozilla Firefox\xul.dll+2e44d7b|C:\Program Files\Mozilla Firefox\xul.dll+2e5c7ed|C:\Program Files\Mozilla Firefox\xul.dll+2e688a8|C:\Program Files\Mozilla Firefox\xul.dll+2e67ca4|C:\Program Files\Mozilla Firefox\xul.dll+2e4bbd0|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000018491517Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:07.726{CBEA6AB7-55E4-619B-9101-000000000F02}59884704C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+23d0188|C:\Program Files\Mozilla Firefox\xul.dll+22ae5e1|C:\Program Files\Mozilla Firefox\xul.dll+22a8f7a|C:\Program Files\Mozilla Firefox\xul.dll+2e48030|C:\Program Files\Mozilla Firefox\xul.dll+2e614fa|C:\Program Files\Mozilla Firefox\xul.dll+2e41379|C:\Program Files\Mozilla Firefox\xul.dll+2e41095|C:\Program Files\Mozilla Firefox\xul.dll+2e44d7b|C:\Program Files\Mozilla Firefox\xul.dll+2e5c7ed|C:\Program Files\Mozilla Firefox\xul.dll+2e688a8|C:\Program Files\Mozilla Firefox\xul.dll+2e67ca4|C:\Program Files\Mozilla Firefox\xul.dll+2e4bbd0|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80 23542300x800000000000000018491516Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:07.591{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F8628741D4E9C1C95503FD23B6F58A,SHA256=5423BA61F70289F4725A186AF3D858408C7E9BC529BF0C75F4C6D51675AFB5DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491515Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:07.572{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E409F3CD3E4F3E8E81E9A61CFFFA874A,SHA256=56FD9D79317FDFCB9D554591C08AF5CC96B29CC11A42CE30BEC956AC3BE05E99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491514Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:04.668{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-50306-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x80000000000000001253365Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:04.301{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53583-false10.0.1.12-8000- 23542300x80000000000000001253368Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:08.681{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AD2D4DF2E3D8FCA309C3BFA25518D4,SHA256=70A4078B1E3E77B1B2CC08CA20AFC104D46EEE17DD85B64D83899886E6A3D450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491520Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:08.609{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9203FC19204B659618109E28A01F11B7,SHA256=E09CBE19082D0EA2E14840BBCA8898DEB958C04711F1D93AD35B2B3E0C741073,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253367Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:05.289{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-42638-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000018491522Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:05.562{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-43352-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491521Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:09.609{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171D08DCA2E79181A5BD0734E2D61E86,SHA256=62CF2D5EF7B93DC8A6C4862D93BD0951F0095FF8F1C85AEBB58CCD60943C1AAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253370Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:06.924{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-35256-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253369Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:09.696{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6F6ACF01040B7618E0396529877C3A,SHA256=76317C526D4698D74FD87218C6D55B518FFA8CB528F82F24F23146EBEDBF35FD,IMPHASH=00000000000000000000000000000000falsetrue 534500x800000000000000018491530Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:10.739{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exe 10341000x800000000000000018491529Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:10.724{CBEA6AB7-5528-619B-5E01-000000000F02}45047812C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000018491528Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localDownloads2021-11-22 13:15:10.724{CBEA6AB7-97BF-619B-D809-000000000F02}6376C:\Users\Administrator\Downloads\WebBrowserPassView.exeC:\Users\Administrator\Downloads\WebBrowserPassView.cfg2021-11-22 13:15:10.724 10341000x800000000000000018491527Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:10.708{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491526Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:10.708{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018491525Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:06.998{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-46718-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491524Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:10.639{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE2F982CC3D6B5E61D3A5156DFBB14F,SHA256=AF674D3E636FB3D7B9545098FD9071449C8A4624B4EB66A2E1D096D9B2A443C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253371Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:10.712{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856392830DA2D53BD3647C447E54BF78,SHA256=3D072BEE7FF100173AE5456A1A37D067438A7E63E4D6F6637C010883D91E1719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491523Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:10.190{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA662C794996B31B67DAAF4EF9D77F45,SHA256=1333EADC449D3DA3EC74757CE7824CDBDB768BDA05B6E0339EF2AC69A67DB9F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491532Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:08.398{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60569-false10.0.1.12-8000- 23542300x800000000000000018491531Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:11.652{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E209DA902D258C2F2BD3F17215F063B,SHA256=359EF1542F5B77CA3293308E5720194ADD002F6588E1BB1F1ADA6CEAFCD60C38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253375Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:09.545{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-51028-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253374Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:09.154{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-44752-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253373Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:11.715{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36C1CB4DFA55778A82B6A4896368320,SHA256=0CFFC63506A8B91F629F6CC12698840AF26F3AA508B184F78764A483598ACE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253372Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:11.623{068A336D-4F85-619B-1D00-000000001002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\respondent-20211122080631-300MD5=2BDDF39925470B8EC963509AF6294792,SHA256=55F3B8F2085B1B773D0157DE95B74DA236A1C8442DB52BE5C71968FDD2B7F483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253377Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:12.729{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA086CBA6188F3E06EC48B3FBC364C81,SHA256=1B9F4B895AEEBEBF08275E6A8957C06B06B2E311D0E017DF4D0E933E05764174,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000018491540Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localInvDB-VerSetValue2021-11-22 13:15:12.770{CBEA6AB7-4F82-619B-1300-000000000F02}404C:\Windows\System32\svchost.exe\REGISTRY\A\{e792395f-b2b1-9ca7-59e2-801342dd18c6}\Root\InventoryApplicationFile\webbrowserpassvi|1542153769f323aa\BinProductVersion2.1.1.0 13241300x800000000000000018491539Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localInvDB-CompileTimeClaimSetValue2021-11-22 13:15:12.770{CBEA6AB7-4F82-619B-1300-000000000F02}404C:\Windows\System32\svchost.exe\REGISTRY\A\{e792395f-b2b1-9ca7-59e2-801342dd18c6}\Root\InventoryApplicationFile\webbrowserpassvi|1542153769f323aa\LinkDate04/16/2021 10:36:16 13241300x800000000000000018491538Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localInvDB-PubSetValue2021-11-22 13:15:12.770{CBEA6AB7-4F82-619B-1300-000000000F02}404C:\Windows\System32\svchost.exe\REGISTRY\A\{e792395f-b2b1-9ca7-59e2-801342dd18c6}\Root\InventoryApplicationFile\webbrowserpassvi|1542153769f323aa\Publishernirsoft 13241300x800000000000000018491537Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localInvDB-PathSetValue2021-11-22 13:15:12.770{CBEA6AB7-4F82-619B-1300-000000000F02}404C:\Windows\System32\svchost.exe\REGISTRY\A\{e792395f-b2b1-9ca7-59e2-801342dd18c6}\Root\InventoryApplicationFile\webbrowserpassvi|1542153769f323aa\LowerCaseLongPathc:\users\administrator\downloads\webbrowserpassview.exe 13241300x800000000000000018491536Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localInvDBSetValue2021-11-22 13:15:12.754{CBEA6AB7-4F82-619B-1300-000000000F02}404C:\Windows\System32\svchost.exeHKU\S-1-5-21-492600379-461247840-3315989157-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\WebBrowserPassView.exeBinary Data 23542300x800000000000000018491535Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:12.654{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD88840682ABFBE0EC5444069D1645A,SHA256=9F0729EF2971FC0A28C65D2891EE90B7C1FDD477F0B24763FD98098434894330,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491534Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:12.287{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491533Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:12.286{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253376Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:12.622{068A336D-4F85-619B-1D00-000000001002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\surveyor-20211122080629-301MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491542Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:13.953{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B3A38371EF78BC8CEB490FD74021D9E,SHA256=1B60AFE786A4A4834669AC2A901D7D9DE17BC71AE11624CC14EE03166B8C7AAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491541Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:13.669{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A244F9FC207F3F162E201DE876062830,SHA256=13B952806C8DEFD358543237D791E9A2624668628CE3876C9C353F99B3F55A46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253379Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:10.286{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53584-false10.0.1.12-8000- 23542300x80000000000000001253378Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:13.748{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67DDD4DBEB7B98BE1B983FB4F45A248,SHA256=8859E3FE0CFAA5679E6046C563E6CEFB66E9F273B3DAFEC70D65EEC78F9857E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253380Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:14.764{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D068496810441F016A0FD851FE9BFA19,SHA256=7A11B00B5A36E0E56E20FBE0FD0BA47913F82C0C4D79AEFF283BF2B8DE157C13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491544Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:10.929{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-54776-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491543Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:14.688{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C3172174FCC2C463C10387EFFD2041,SHA256=9E383F4326D73B5B7EF6BB89AE397385779AE00D7DF6D295EC19853E2E1B8E4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253381Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:15.779{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA724B15F3D5973D7946C2EBE7A5C62,SHA256=32D70694E4D6992166BD277FC3F575915C9CBA8F2450C48E9BF5535CD0B48AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491545Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:15.708{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C706B27079E463F1C29B256546DDCA13,SHA256=F318600198909E3E15C3FAA32BFABD6F1599FD6CB2628F56CA258FA4EF2C2A2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253382Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:16.795{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F026C577A563EA5770FBF29C285BBC62,SHA256=F6CD3935C6B85DD15BA687948A8628DC16C6E211D6F4C6572559D34F6616FFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491546Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:16.723{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D057B82D85DBFD300BC401CA78F8BB,SHA256=C76E273003D2C6D5ECC2126D59B4298A4A9A76072E5CCCAE7C702BBBE951F185,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491548Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:14.326{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60570-false10.0.1.12-8000- 23542300x800000000000000018491547Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:17.723{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15BE965B3578B942B62A1F02ED50DB8,SHA256=ED4C9B07BD97FAD42A203FC640D363149F6E8766FC97BC8257C018078C4A411D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253383Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:17.811{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AA34684E12A351F2F2A38D22D8210D,SHA256=A04E5D4947B27878E419B888BF7686CBC78B6BDEFFA3F91FC1E65145E87D9586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253384Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:18.811{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B554D8D17E10FAE1E4A624BCD7F3624,SHA256=A993C1AF6DD0A2C6B700C9E35293D06A4C92A65FF1609323B52E47440A0AB7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491549Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:18.723{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B6F24898DFEA74D9E44C1E96C0DEE3,SHA256=993A90174F15469C7383638C027F3A745FBAFEF931450F2E154CCAC451DFE66B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253386Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:19.842{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC349D356B9C20E9FD3C00B23EE1229E,SHA256=67B8AB9135FAB4DB70D1E1364903B5388F0C428592E1BBE76FEDC043CBAA1BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491551Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:19.823{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491550Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:19.738{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB4C8DCD3B512D96DED872CC5536646,SHA256=D6E2D205A4F5209BCC1E20BFEA539F77AE62E1D79AB2840F8BF5F4F9011EEE10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253385Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:15.496{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53585-false10.0.1.12-8000- 23542300x80000000000000001253387Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:20.951{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E74BC9A10135ED7C8F8C54E8DEE2352,SHA256=A68C196F59D591AD9F23881C56E7EFCEAEFEDA5689DA99B9C10025A2AC15B2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491553Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:20.753{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E272695DC0047869CF1EE5D9A235780,SHA256=B8B80F8C33E776821F3599B5BE1BB2B84842148044479E7366A2B90C988998F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491552Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:20.471{CBEA6AB7-4F8F-619B-2E00-000000000F02}1156NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\respondent-20211122080641-300MD5=A1D0D577F42544DD772EFF490FF2796C,SHA256=BAF9C27C7C1429C61A9430176677A01FBBE9BC9408F59946D1FBAFE42606F366,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253388Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:21.982{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D733FD6191CCF66B84236CFA8E08E48,SHA256=362BF09C301DD6F8F30A8E48B4B630BFDC1DF1A436CA4C9BB995109AC1A5FC74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491555Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:21.769{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20FA1D685850E748D38FC6A78200454,SHA256=0F6F780A0DE23DDE034E99587E78F8AEB438A1AF4084B51B0CF56CFB5DBE892A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491554Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:21.484{CBEA6AB7-4F8F-619B-2E00-000000000F02}1156NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\surveyor-20211122080639-301MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253389Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:22.982{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EEA3221F89E93EE46E03BE75BE9907,SHA256=5C7AE14DD80AD67BCDE1D29D0B6C4FFBB19771951AB8E9608EC45656FBEE1D7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491559Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:19.346{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60571-false10.0.1.12-8000- 23542300x800000000000000018491558Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:22.789{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE63231257D705749046DA189D809FCD,SHA256=1DD352FA63DF3CAA66BF7E26881F70DD61116A39C5D1B88A03F91B68F0E265AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491557Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:22.237{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491556Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:22.237{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018491563Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:20.536{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-47460-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491562Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:23.804{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F97D63846A4DA7E4B5FE1A359CA7020,SHA256=89EF709CF0D4C0AF19A68709173B66C9DF330BB2D59B1526A7BF8C0FB97341E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491561Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:23.436{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C3763BEA053DC3F80B35FA3CE76D966,SHA256=F5D050F7D2F95AF1D87002821DDCC12C547B0290FED877021A385BE621D0B92F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491560Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:23.436{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7D448533AAAFA8DEE115EF1525ED0C8,SHA256=268D9D1C67845BA215892298E0337DCC19DF331C7D0554B4A5016C380FBC2A8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491564Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:24.804{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79CB7E1379267FC53A1FE0A2F63EB56,SHA256=480E148A044EC9FA1F007D00AB9D9F7633A38B3A9DE408A7750B402D24402AC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253391Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:21.447{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53586-false10.0.1.12-8000- 23542300x80000000000000001253390Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:23.998{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B909EFAE9E8CF525801DFE85B183F1,SHA256=238EF8C2BA7577F9CB24C822CC3B01ABE2E0098988833DCA489FDBF8135FCCC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491565Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:25.820{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB53A7F3F9F9C02A05F34E61826FE88E,SHA256=49B7039E1E3EF0958DC1ABD7A6DCDC64F74B4827FF409C17016C902BD9C66F01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253392Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:25.029{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616A444DEF9E495519E579E146E23346,SHA256=E6CA7406C0FD026B01C49C8ACA85575A1B1DCD9363F42B53875401CF4C6C03D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491566Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:26.835{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950FF50EAE66E85BF766EC3D97203747,SHA256=2463C8A486C71593609EAF3DFDFA2EECD10CFF24EC11E081FC85A7A5C05D9CBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253394Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:23.630{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-47774-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253393Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:26.045{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE7C985714B8A439CBBE9E6967CDDD7,SHA256=A468CCB48AE2C60FFFACDC777A076939803D2DECC470F15320DE502CFEB0616D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491568Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:27.850{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE97BE26ADE3E6CACD448BB61EBC2AE,SHA256=FEC99444C752F4F7A45B3706D0ED9AE1A4EF0B6B7C51418E57591C60F308736F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491567Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:22.908{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53587-false10.0.1.14win-dc-970.attackrange.local49672- 354300x80000000000000001253396Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:23.914{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53587-false10.0.1.14-49672- 23542300x80000000000000001253395Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:27.061{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711A9BFE0387475BAA3A777CB7387EAB,SHA256=219BDA460283D02A23465B83B77110FE1D76FA05B7BF6D344FF51E99A6350236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491571Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:28.880{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66227B757498C282E07F2CECF690C244,SHA256=91DB31F07B67011E7AC91ED7E80FDC475D26CABD091D3384D04EEC478E61CCF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253397Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:28.076{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C139BE3EBC2A646BA0DB715A8F3026,SHA256=90F8A028BB101A72743265DEFF5BDB19D96F4392F4203EAF079660BBFEA63E2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491570Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:28.118{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C3763BEA053DC3F80B35FA3CE76D966,SHA256=F5D050F7D2F95AF1D87002821DDCC12C547B0290FED877021A385BE621D0B92F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491569Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:24.459{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60572-false10.0.1.12-8000- 23542300x800000000000000018491574Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:29.962{CBEA6AB7-4F82-619B-1100-000000000F02}436NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C1252F10130288CC6DD2AF65BB3DA99F,SHA256=2F9062111025139498CDEC06E5590370295DF575C5B40D933C3A47291C0FC8EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491573Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:29.896{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEB80A7B63A139C7A2CFEFF05DB22EA,SHA256=C4604C45863D062A13B476D785DA6061F962C8E6B0F6F6395BC48068D92EC157,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253399Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:26.478{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53588-false10.0.1.12-8000- 23542300x80000000000000001253398Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:29.092{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8009AB222F8FBAC9DF14B38BD63B3E,SHA256=638B623B0A618D38F6DB780657BC39AE87C5FFCBD43F41944738A8F937D75770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491572Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:29.663{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAA7AB21EB61EACFF107E0CC4A218AF5,SHA256=7BDE2DE349759953FFC255EAEE8F4B5DD2B6235C69AB90369F855F4A14F5DDDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491577Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:30.914{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CA5715EC7ECF9C688F53E23E578985,SHA256=A133E974D18CD233F6C450F0BAB1A8D5612C10894A73D39F7B193C5B936A776C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253400Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:30.107{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8EBC1A59457511453A23C013C6127A,SHA256=AA3EF820AC12C9DA28488345B58DE0EA71D1DC334DAA3435EAF05496FD382956,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491576Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:26.774{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-33154-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018491575Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:25.191{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-40428-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491578Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:31.929{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F953280F2E4062596D8CA70E673435,SHA256=C285924F9734C5951B14A96DAF29A624E9A33E82738B6BD1267FF43E30772EB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253403Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:31.654{068A336D-4F84-619B-1200-000000001002}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2A432D1175CC8380360D8048B9C2B0DF,SHA256=ADBBA1BC137F8533CA77FA5BF252006AA84AFB40EFB94452683BC28D8BAC6D5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253402Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:28.698{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-54476-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253401Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:31.123{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1286FCDFA89BFFD99E1797B4D7B1BF62,SHA256=83B02770D5EC958BAD80792BC561A3F7507B8C7A578391CA3630FD86639468B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491579Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:32.943{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1005304417D52B231667CCEE9F09CB,SHA256=C0D79B2553723B80F1E24814ED9CBF4496E92626926D78FDE79E51177C0346EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253404Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:32.126{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E642150DF87B6E1A9C04A9544E30AA8B,SHA256=42E79E5308A8ACDD1F06C3D374C8DC92DFE9E016E33A0888A911B43C6A700253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491580Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:33.958{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D9ABF00756BBD58BCA981CCF516144,SHA256=069CBEE752F21D0596D54ED6805B48E691C92161D713DD5481C453519940F863,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253405Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:33.142{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285952B1D8374DE2D3C342B9108C4A0C,SHA256=3E9C14B0DE6368D9BE95D4B67446FF6785CDE263D5427243D28CB0C1F516765D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491583Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:34.974{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB4C40FAF0A44353F6D801778B24C92,SHA256=A5219B3B4B8E0BEB6FFC70CBF3B252E016FCF8DF1DF964852ACD4F3734DC1DCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253407Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:32.356{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53589-false10.0.1.12-8000- 23542300x80000000000000001253406Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:34.157{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6E46BD40025D8C7A522B4AE7908A62,SHA256=686758D6C307F7D1A462AFF3ADB34817694C472C86BF851CA580F28B9A006745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491582Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:34.293{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E7314F24112B272E8B432849C74FEF5,SHA256=FF91B8091C6823F64D0230400831AB02FAA9A6A033497D32B9F00DDD12AFC308,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491581Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:30.284{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60573-false10.0.1.12-8000- 23542300x800000000000000018491587Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:35.995{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A72EEEC506A7E9F609D9B5A403E29F1,SHA256=9FE491F7D32B8ECF0E69C77D76F9875B7D7051170F160DCE4E09C3ED8749034B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253408Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:35.173{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDFD784D84120163CDACE7B86B5B109,SHA256=279E41DF4CAA6068F342C96A0165711E59AE1DFECF6630DA1874E2D124449299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491586Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:35.813{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C60A19CCC85364BF6CF45E3BEC347FAD,SHA256=5DC3548F7153F72D5B81025DF6C34654C91E2BBCB1D84D137F19E2E75159DB6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491585Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:31.484{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-50968-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018491584Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:31.293{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-53344-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x80000000000000001253409Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:36.188{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BEEFED9105031A87F09074DEF6B85C,SHA256=3E2C899EC416525EF7330CA2B1DB7E1BCF19F916E5C819FEB27314B077D7A6B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491588Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:32.730{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-56888-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x80000000000000001253410Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:37.204{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73E3705612432566FF3C7AC7A757FC9,SHA256=654DB9B2D99B8328921727072E7321C4CA54C079555B3205C9347C486D6758DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491589Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:37.012{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE71CD62B6A9D4F05B128C70ED46D989,SHA256=6347892D19A2767E46AA0E5129633059B59A79AC8C3E060211A0DD1228106921,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253411Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:38.204{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4065E971CBAFE8EDB53F2B2FB2ACAD0E,SHA256=109DC6EF52D3ADFD9681585B93BA69CC4CCB528528EC70ECAC7472C9470CE79A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491591Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:35.351{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60574-false10.0.1.12-8000- 23542300x800000000000000018491590Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:38.026{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8A82C72AA87035F4BB28729BFEBDB6,SHA256=69469EEB1D99BB11E62546693E7D54E20630F200F3AD70A1035788B072159623,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253413Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:37.452{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-49018-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253412Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:39.220{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8048064C93E81FE8C33221EA1671707,SHA256=780151731A66B76D1B4DF34699AAFD7679819550FC3A4AAC820FC495A2C6FD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491593Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:39.457{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EC923E63B9BBFFE7D27BD768D58B652,SHA256=B19F5A4493BF01C3C4A099C677991BF7AFBF12542A81F9BC50BCD665C3A3BBFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491592Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:39.057{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D45C3638DD2BB7BBB6BCE0BE0EE0F70,SHA256=4A402F34CC3BDBCC03C34585031E9040B9351AF943E65333E4A73B9B7ED68F38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253428Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:38.356{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53590-false10.0.1.12-8000- 10341000x80000000000000001253427Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-97FC-619B-1309-000000001002}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253426Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253425Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253424Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253423Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253422Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253421Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253420Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253419Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253418Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253417Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-4F82-619B-0500-000000001002}41692C:\Windows\system32\csrss.exe{068A336D-97FC-619B-1309-000000001002}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253416Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-97FC-619B-1309-000000001002}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253415Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.470{068A336D-97FC-619B-1309-000000001002}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253414Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:40.235{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304961067E79512850539994B7B7488D,SHA256=62D1C578245C86CE83B03F81095082E4B36DA5738CC6AB06AFA67313A37E9BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491595Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:36.544{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-33954-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491594Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:40.058{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6256303BE0C341DD09BBECB672DFA99,SHA256=AC3CDE995C6E8F8E82D1883218F52F090E9509C8A3A1FCAC1C6DF46BC83393F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253456Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.813{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-97FD-619B-1509-000000001002}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253455Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.813{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253454Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.813{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253453Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.813{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253452Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.813{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253451Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.813{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253450Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.813{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253449Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.813{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253448Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.813{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253447Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.813{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253446Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.813{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-97FD-619B-1509-000000001002}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253445Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.813{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-97FD-619B-1509-000000001002}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253444Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.814{068A336D-97FD-619B-1509-000000001002}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253443Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.423{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40567191ED9B6F27933487687A799696,SHA256=83DB62B9E572A2150654BFEDFF0F0238858E8B8EB5DDEC0148931B44F887F1EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001253442Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.345{068A336D-97FD-619B-1409-000000001002}9721352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491596Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:41.073{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B131E81F5161D608818C249B704F7EB,SHA256=A009C0C028D184F18447F8A907A77E0C12BD1B14A1B8B4F78E66A7FE3A9E033B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253441Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-97FD-619B-1409-000000001002}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253440Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253439Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253438Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253437Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253436Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253435Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253434Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253433Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253432Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253431Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-4F82-619B-0500-000000001002}41692C:\Windows\system32\csrss.exe{068A336D-97FD-619B-1409-000000001002}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253430Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-97FD-619B-1409-000000001002}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253429Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:41.142{068A336D-97FD-619B-1409-000000001002}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253457Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:42.423{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB9C04119DF2D054B957DF0CE8456B1,SHA256=91EFCC0901D3AEFC1F2CE6A83CCDFB5278381BCA7AA15C2D068617C5F43E7DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491597Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:42.090{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4F60E95CB2E10848D150A7CFE095F4,SHA256=FCCD96040DF503F44F43EAC18D0BB2380BDD33A531370A6499100D488B49CCEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253471Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.985{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-97FF-619B-1609-000000001002}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253470Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.985{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253469Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.985{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253468Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.985{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253467Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.985{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253466Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.985{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253465Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.985{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253464Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.985{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253463Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.985{068A336D-4F82-619B-0500-000000001002}416532C:\Windows\system32\csrss.exe{068A336D-97FF-619B-1609-000000001002}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253462Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.985{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253461Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.985{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253460Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.985{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-97FF-619B-1609-000000001002}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253459Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.986{068A336D-97FF-619B-1609-000000001002}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253458Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.454{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB2B4E4FA048319D37B75B4FB545B90,SHA256=254A2BD73137C535CF1E195B3C1AF1ECC3AF1105D95B7DF1AAE02E8B071F06D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491600Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:43.709{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491599Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:40.364{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60575-false10.0.1.12-8000- 23542300x800000000000000018491598Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:43.125{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F904F8BFF52300C5DB69ACD900181B23,SHA256=F30BADE275EFDC552FEDB23E0FA7E36F5780C6F440C7ED4C9963A42B4FDF4D7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253487Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.829{068A336D-9800-619B-1709-000000001002}2176440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253486Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.657{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9800-619B-1709-000000001002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253485Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.657{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253484Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.657{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253483Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.657{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253482Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.657{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253481Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.657{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253480Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.657{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253479Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.657{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253478Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.657{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253477Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.657{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253476Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.657{068A336D-4F82-619B-0500-000000001002}416532C:\Windows\system32\csrss.exe{068A336D-9800-619B-1709-000000001002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253475Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.657{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9800-619B-1709-000000001002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253474Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.658{068A336D-9800-619B-1709-000000001002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253473Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.470{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDDB75B6A4049D1029515B757FD3556,SHA256=9F623D39D150F61A1180FF635615DED0B76CFCBC17371031CCEFF5871CEDEFCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491626Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.571{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491625Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.556{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491624Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.556{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491623Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.540{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491622Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.540{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491621Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.493{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491620Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.493{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491619Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.493{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491618Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.493{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491617Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.491{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491616Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.490{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491615Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.490{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491614Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.490{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491613Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.472{CBEA6AB7-4F82-619B-1600-000000000F02}13048028C:\Windows\system32\svchost.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491612Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.472{CBEA6AB7-4F82-619B-1600-000000000F02}13041344C:\Windows\system32\svchost.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491611Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.472{CBEA6AB7-9800-619B-E109-000000000F02}74927420C:\Windows\system32\conhost.exe{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491610Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.456{CBEA6AB7-5525-619B-4D01-000000000F02}12682264C:\Windows\system32\csrss.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491609Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.440{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491608Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.440{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491607Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.440{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491606Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.440{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491605Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.440{CBEA6AB7-5525-619B-4D01-000000000F02}12686108C:\Windows\system32\csrss.exe{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491604Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.440{CBEA6AB7-5528-619B-5E01-000000000F02}45044268C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+1f9bca|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+175660|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+17c4a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000018491603Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.452{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Users\Administrator\Downloads"C:\Windows\system32\ATTACKRANGE\Administrator{CBEA6AB7-5527-619B-F481-110000000000}0x1181f42HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x800000000000000018491602Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:41.361{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse112.31.195.234-64561-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491601Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:44.125{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE0E4721218B935591C60A1CF0D2774,SHA256=2583D659E3CBB9CA3CCCB79C73B9D8FE72EAA327ADE55676741E53469163732C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253472Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:44.157{068A336D-97FF-619B-1609-000000001002}9404084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491629Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:45.308{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C2372F53670E666EB532375100F0D97,SHA256=7C249937FD0BE4AED0CCC0A0AF732949AE2F38C72C389D79E63314410A08E1EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491628Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:45.308{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9D32947DF574562A5275EE3DAA19C7C,SHA256=95E1381FB622D11305A2559380468DC00D509BAECE639BD4514223AC3CF3768B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491627Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:45.139{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8637A30FDA3184E1451374FA8DFEA653,SHA256=3941F74DCFD6B1320A6977D80E109A0B060F8080AE5AB6A2ADA56DDBFEEC326F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253501Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.532{068A336D-9801-619B-1809-000000001002}8723320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253500Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.329{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9801-619B-1809-000000001002}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253499Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.329{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253498Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.329{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253497Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.329{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253496Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.329{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253495Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.329{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253494Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.329{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253493Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.329{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253492Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.329{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253491Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.329{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253490Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.329{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-9801-619B-1809-000000001002}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253489Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.329{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9801-619B-1809-000000001002}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253488Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:45.330{068A336D-9801-619B-1809-000000001002}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018491630Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:46.154{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418D06613009F4093169A538A8C87D7B,SHA256=E666C6B0DC8255B96BC0FA34B0A3730073892FDEE64B5DA92F1B58346736BA3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253503Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:43.403{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53591-false10.0.1.12-8000- 23542300x80000000000000001253502Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:46.001{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA297E78D30B2C16CCCD48F407AB0743,SHA256=1C4F98598C8720704730AB277A38863833606983ADD94D3BCFD83CE9F54FFF6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253505Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:47.470{068A336D-4F85-619B-1F00-000000001002}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253504Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:47.048{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AD93763E0F036898E31789B826BF31,SHA256=15E9ACA44F8813FEBFB7D754D61691C35682477784B8C6E3D5961EC12C85C925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491631Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:47.155{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7BD50E7C7DB8102FB20AC95CD3F466,SHA256=1E2C3DF427F176891E3FC256B7512FA37E4675C004828E49642748A50E721D33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491641Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:48.939{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9804-619B-E209-000000000F02}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491640Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:48.939{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491639Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:48.939{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491638Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:48.939{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491637Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:48.939{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491636Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:48.939{CBEA6AB7-4F7F-619B-0500-000000000F02}412528C:\Windows\system32\csrss.exe{CBEA6AB7-9804-619B-E209-000000000F02}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491635Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:48.939{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9804-619B-E209-000000000F02}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491634Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:48.939{CBEA6AB7-9804-619B-E209-000000000F02}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018491633Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:45.463{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60576-false10.0.1.12-8000- 23542300x800000000000000018491632Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:48.171{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAF307893B6D14304CF8866F0F38D27,SHA256=C6AB38C2DC578E25574C0AE00428B4F7905C8763AEE2FB7CF5808DCBA2186167,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253519Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.157{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9804-619B-1909-000000001002}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253518Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.157{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253517Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.157{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253516Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.157{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253515Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.157{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253514Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.157{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253513Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.157{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253512Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.157{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253511Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.157{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253510Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.157{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253509Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.157{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-9804-619B-1909-000000001002}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253508Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.157{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9804-619B-1909-000000001002}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253507Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.158{068A336D-9804-619B-1909-000000001002}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253506Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:48.063{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96BE79A55A5FCC9BF27D0B44C37B9C84,SHA256=EE603F3FD1F36850F7CC7A7A2EB03B5D8C3B86796CAB8411F700622DDDA4CBFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253522Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:46.699{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53592-false10.0.1.12-8089- 354300x80000000000000001253521Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:46.265{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-36434-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253520Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:49.157{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14C87EC77AD6044188BFB0C7FB797DF,SHA256=BBBD9A16CAC385E703D0CE382964A51E7A4D4B0B1EC2E7BB91B17D255C882752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491651Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:49.954{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C2372F53670E666EB532375100F0D97,SHA256=7C249937FD0BE4AED0CCC0A0AF732949AE2F38C72C389D79E63314410A08E1EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491650Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:49.607{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9805-619B-E309-000000000F02}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491649Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:49.607{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491648Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:49.607{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491647Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:49.607{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491646Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:49.607{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491645Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:49.607{CBEA6AB7-4F7F-619B-0500-000000000F02}412480C:\Windows\system32\csrss.exe{CBEA6AB7-9805-619B-E309-000000000F02}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491644Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:49.607{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9805-619B-E309-000000000F02}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491643Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:49.608{CBEA6AB7-9805-619B-E309-000000000F02}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018491642Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:49.191{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA809A0C36C2227802AB72F98A022F53,SHA256=2C3FD74508B2283184CF3D752012F5CDEA01231FC56EFC66EE22E36477BB1F35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253523Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:50.392{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6DBACD0B49120D867F09D93B0CC663,SHA256=04445E5488902F9F24032A6E02FB3DF3849D57F0442B6351EE26C1342156694C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491661Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:50.423{CBEA6AB7-9806-619B-E409-000000000F02}39965576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491660Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:50.223{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9806-619B-E409-000000000F02}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491659Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:50.223{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491658Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:50.223{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491657Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:50.223{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491656Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:50.223{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491655Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:50.223{CBEA6AB7-4F7F-619B-0500-000000000F02}412480C:\Windows\system32\csrss.exe{CBEA6AB7-9806-619B-E409-000000000F02}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491654Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:50.223{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9806-619B-E409-000000000F02}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491653Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:50.224{CBEA6AB7-9806-619B-E409-000000000F02}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018491652Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:50.207{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C57228934ECB9764907B06053D301A,SHA256=EBEA440C9B8234E0146D287E3FAA0C4A3221C58B6815B354B365CB8516A443C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253525Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:51.392{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFEDB5963D3B97BA5F8CB8FB8D348995,SHA256=8E5954CC2381BF7CF25193E00182B9A9CA348BDD8198E387041F18EEFB0EABF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491671Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:51.921{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9807-619B-E509-000000000F02}7556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491670Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:51.921{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491669Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:51.921{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491668Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:51.921{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491667Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:51.921{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491666Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:51.921{CBEA6AB7-4F7F-619B-0500-000000000F02}4122932C:\Windows\system32\csrss.exe{CBEA6AB7-9807-619B-E509-000000000F02}7556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491665Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:51.921{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9807-619B-E509-000000000F02}7556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491664Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:51.922{CBEA6AB7-9807-619B-E509-000000000F02}7556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018491663Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:51.253{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FD7ED2E1831E66C62E2DD12DE714B8E,SHA256=4358C96D0AAB2262D484723A9DF8BBC3776BA891A28EECF70C7C1CE956C6491A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491662Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:51.222{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5AB47232755A4A5BB85AB5B24E0393,SHA256=56D51200CC029628022FC4D8E908971A0CACDFA6959A2DB8B995A94D997AD7C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253524Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:49.355{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53593-false10.0.1.12-8000- 10341000x800000000000000018491683Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:52.652{CBEA6AB7-9808-619B-E609-000000000F02}79247408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491682Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:52.468{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA75174D7CFD1F647E99ED49AF999E62,SHA256=98AF10A75197C0590EAA3B68DC8A0477ED9B711AEC5B51F66BFF5C30620EE6EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491681Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:52.452{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9808-619B-E609-000000000F02}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491680Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:52.452{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491679Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:52.452{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491678Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:52.452{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491677Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:52.452{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491676Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:52.452{CBEA6AB7-4F7F-619B-0500-000000000F02}4122932C:\Windows\system32\csrss.exe{CBEA6AB7-9808-619B-E609-000000000F02}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491675Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:52.452{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9808-619B-E609-000000000F02}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491674Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:52.453{CBEA6AB7-9808-619B-E609-000000000F02}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018491673Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:52.236{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5FC94FD17439C25353E710356EBCCF,SHA256=FAEC7B288A3E464EAB3ACABC36E63FE6FE5B7181A4C6B661F7BD3707ABF08250,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253526Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:52.397{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E61D13AC1E3B42DAB04A6E90BCE1E3,SHA256=E478FB3896D099F0382E198B1EEB60A230F5AE7464FC8A759783A8F224CA2A64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491672Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:52.089{CBEA6AB7-9807-619B-E509-000000000F02}75567656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253527Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:53.413{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B37A795CCC37F6097234FE676F7BFF8,SHA256=D2ED4970F269C31157B4216759EB461614FBD8318F668B6FE153F48DA6F81FB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491702Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:49.582{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-33614-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 10341000x800000000000000018491701Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.619{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9809-619B-E809-000000000F02}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491700Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.619{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491699Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.619{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491698Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.619{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491697Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.619{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491696Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.619{CBEA6AB7-4F7F-619B-0500-000000000F02}412528C:\Windows\system32\csrss.exe{CBEA6AB7-9809-619B-E809-000000000F02}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491695Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.619{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9809-619B-E809-000000000F02}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491694Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.621{CBEA6AB7-9809-619B-E809-000000000F02}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018491693Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.304{CBEA6AB7-9809-619B-E709-000000000F02}7528964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491692Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.251{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264B3E4ABD84FA84370AF8056E7433BD,SHA256=11938A29DDCF72418860F6A7DFFCB14CB02510034257F9932F76625D7141DB9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491691Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.120{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9809-619B-E709-000000000F02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491690Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.120{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491689Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.120{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491688Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.120{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491687Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.120{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491686Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.120{CBEA6AB7-4F7F-619B-0500-000000000F02}412528C:\Windows\system32\csrss.exe{CBEA6AB7-9809-619B-E709-000000000F02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491685Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.120{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9809-619B-E709-000000000F02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491684Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:53.121{CBEA6AB7-9809-619B-E709-000000000F02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001253530Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:52.485{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-50272-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253529Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:51.768{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.88.253.3838.253.88.34.bc.googleusercontent.com53089-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253528Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:54.413{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CB44DB1E30C589F1831A7AFC2FAF5C,SHA256=DF04C90E2C373AF48EF5170E6DD2DB5D2ABCDA230EFFFD8309C22BAD0E755D0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491705Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:51.443{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60577-false10.0.1.12-8000- 23542300x800000000000000018491704Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:54.266{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC71F1A71EDD44A5F454E3B56780C78,SHA256=7A88E7C18AD795FA9A08E2F2EA90B348397DE02894A1764FCCDBA7E812CE5227,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491703Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:54.135{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61073CF0B92E99D0F527C30BBCF24DA2,SHA256=23AAEB6CA6D03B01C89866BA6BC6F5F0FA3A11948CE19B75B1F36DA4970EE54F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253532Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:53.208{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-55208-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253531Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:55.631{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D881AB3A7A06FB802655D870FD6CB077,SHA256=58E57D6AC9C7F2812EA8A2580A965A463B102FB9023676DFB59D1C9B98BDDA57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491706Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:55.286{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C614E2C58BB2D14EC0090EB2A72768,SHA256=F92B171743D03A19D4F679A3EE0AFE04300E83F9E9A27F2240F89D9F033D442D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253533Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:56.694{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC96C625829D743B8E3FF93F3EA411E,SHA256=0BCA013161B7ACC453C2E72450834745F5ABBDE41D8446DB585DEA0EC5D254A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491707Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:56.302{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F03DA711F597EBBF52C85BAD0C767D1,SHA256=7D049B8C0E0A4B97CF994319C69FA7FD87E85B16EBB3A781D3002CE16FF22D6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253535Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:55.298{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53594-false10.0.1.12-8000- 23542300x80000000000000001253534Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:57.725{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552A9D1D6A491A77EAFA24D185CA1204,SHA256=2B75F191E713FB74F7D2D144E4FC4F6D73F53E308523B522A0AC0401ECE56707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491710Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:57.648{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=101F22EBAEBED9968AA1900C668489E9,SHA256=2A986B9C10EA8B6F755748EC24728AF870ACAE0D41AAB2AB00C14EEFD6E2E249,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491709Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:57.317{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFF6EA4AAC7C0D26D5E13C71B24F244,SHA256=CDC897F256B0BF6BE81F3A7CD9C37A7B924EE0C9E081C9808620B874533A173E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491708Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:57.048{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253538Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:57.010{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-40384-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253537Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:56.445{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-58414-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253536Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:58.756{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60584604122B3D65485AE0ECC1A432B,SHA256=1922CD23A4B82619235F58A31BE34CD72EF7876EE860125992F44371B5EB9AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491716Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:58.663{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A910B6C0E234137774E57F45B429666B,SHA256=A4A31D9189E271BD7FBD094F5BC1CA921203207B933403FBC1443049914C58BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491715Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:55.756{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-50472-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018491714Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:55.272{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60579-false10.0.1.12-8089- 354300x800000000000000018491713Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:54.856{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60578-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 354300x800000000000000018491712Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:54.856{CBEA6AB7-4F8F-619B-2700-000000000F02}2892C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60578-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 23542300x800000000000000018491711Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:58.332{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5958A0A07E099168246F66A2DBB741,SHA256=2A473FBA53B37F65F1EADF06D76C3CB772A3DBBDDF650C64205AD03112D50486,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253539Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:59.772{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99F312C4E8C79D20CCF6129E7C2AF8A,SHA256=CDA76B73367093530076EA771D449445DA6DEA35214178BCB5AA0C1E8D72D0CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018491803Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491802Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491801Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491800Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491799Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491798Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491797Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491796Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491795Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491794Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491793Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491792Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491791Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491790Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491789Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491788Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491787Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491786Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491785Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491784Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491783Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491782Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491781Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491780Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491779Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491778Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491777Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491776Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491775Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491774Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491773Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.964{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491772Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-4F7F-619B-0B00-000000000F02}6322488C:\Windows\system32\lsass.exe{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491771Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-4F7F-619B-0B00-000000000F02}6322488C:\Windows\system32\lsass.exe{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491770Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491769Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491768Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491767Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491766Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491765Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491764Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491763Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491762Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491761Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491760Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491759Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491758Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491757Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491756Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491755Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491754Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491753Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491752Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491751Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491750Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491749Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491748Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491747Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491746Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491745Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491744Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491743Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491742Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491741Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491740Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.933{CBEA6AB7-980F-619B-E909-000000000F02}74405732C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491739Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.879{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491738Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.879{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491737Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.879{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491736Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.862{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491735Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.862{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491734Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.847{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491733Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.847{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491732Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.847{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491731Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.847{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491730Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.847{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491729Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.847{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491728Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.847{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491727Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.847{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491726Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.784{CBEA6AB7-4F82-619B-1600-000000000F02}13048028C:\Windows\system32\svchost.exe{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491725Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.784{CBEA6AB7-4F82-619B-1600-000000000F02}13041344C:\Windows\system32\svchost.exe{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491724Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.647{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491723Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.647{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491722Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.647{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491721Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.647{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491720Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.647{CBEA6AB7-5525-619B-4D01-000000000F02}12684868C:\Windows\system32\csrss.exe{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491719Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.647{CBEA6AB7-9800-619B-E009-000000000F02}50205668C:\Windows\system32\cmd.exe{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491718Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.658{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe2.11Web Browser Password Viewer-NirSoft-WebBrowserPassView.exe /stext c:\tem[\1sdasdadaC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{CBEA6AB7-5527-619B-F481-110000000000}0x1181f42HighMD5=F3D20449BAB41301AEFAD304CB02773B,SHA256=C41216EEE9756A1DCC546DF4FE97DEFC05513EED64CE6AC05F1501B50E6F96CC,IMPHASH=6CDE2F49ECF3CC2F14739BABAA8FD75F{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Administrator\Downloads" 23542300x800000000000000018491717Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.363{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2CCB01C00B80448DBD889467DCF210,SHA256=59BEAF7C55CE83873CE0F5D10A9E0E5B6E4AF75BF5944C88E45983AE4238979B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253540Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:00.819{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865607396D65825A18BA328C78A4F787,SHA256=697E1543056BE9D0C95E817F00F0A141056A3ACBE4B3325C369137B486F98137,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491807Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:56.681{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-52268-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491806Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:00.662{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80E9432DA9FB1C4F8F6460D65049ECB4,SHA256=F72BE3B6D9FA85B878A37D656C04BF8162459FA77287CB2B2DB772662F8A50FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491805Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:00.615{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB0F8E5F484026248A95F7E943AFE2F,SHA256=B04DAD74C6D5C55A0D16128AEB410B20A77C93095B89ED09347B3C3DEA139832,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491804Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:00.015{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233EF6B2221DD1D457598BA7544E7FC9,SHA256=6F71CB593B1BA65CBBC74C7CAA909ACD2030F473C4AC44C70CEE7A4B3AD01D41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253542Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:01.866{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7CAB9C3173F09E09ACC78D69BE3348,SHA256=EAEB9FBDB0E4580AEE4E283D7F987EDBDD8A06D4A074BA3F033553C1467B76B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491809Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:57.370{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60580-false10.0.1.12-8000- 23542300x800000000000000018491808Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:01.630{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42678AE8F429F445D10E51D20EA218DA,SHA256=72ECFED769EA07D4ADAA1791A602AEFCD2BD536CDBBA911F86A84169D4B5B16A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253541Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:15:58.729{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-43764-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253543Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:02.866{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895EE9DABE01B587574DDC02AA2B6B3D,SHA256=7CBC992A0A60F3FA44720F4EDC6EB9AE2C08821A6BE273E72D7340BF5C3197C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491825Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:15:59.088{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-57494-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491824Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:02.645{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1C9BA32835B3ADB817915DF88DAA58,SHA256=DDB5E2C75906924D8D75B1BFC1886A5948242FA2DCB14DB3F9F0EFF59CF0A99C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000018491823Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:02.461{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exe 10341000x800000000000000018491822Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:02.445{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491821Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:02.445{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491820Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:02.445{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000018491819Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localDownloads2021-11-22 13:16:02.445{CBEA6AB7-980F-619B-E909-000000000F02}7440C:\Users\Administrator\Downloads\WebBrowserPassView.exeC:\Users\Administrator\Downloads\WebBrowserPassView.cfg2021-11-22 13:15:10.724 23542300x800000000000000018491818Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:02.445{CBEA6AB7-980F-619B-E909-000000000F02}7440ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\WebBrowserPassView.exeC:\Users\Administrator\Downloads\WebBrowserPassView.cfgMD5=000195C6A685B7989C1FB26C7E4228D9,SHA256=2D0A6961D68A8C1315A54CEB07D8D787F57704588F5FDFDD361BC55FC1A7FB27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491817Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:02.430{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491816Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:02.430{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491815Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:02.430{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491814Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:02.430{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491813Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:02.062{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491812Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:02.030{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A01D4B10A33D359B95E797C71D23C562,SHA256=8D9B03DA6DE8E67AB4FA5CB4D40018B0E1CCBE54325822B4173490B43ED83B1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491811Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:01.999{CBEA6AB7-55E4-619B-9101-000000000F02}59884704C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+23d0188|C:\Program Files\Mozilla Firefox\xul.dll+22ae5e1|C:\Program Files\Mozilla Firefox\xul.dll+22a8f7a|C:\Program Files\Mozilla Firefox\xul.dll+2e48030|C:\Program Files\Mozilla Firefox\xul.dll+2e614fa|C:\Program Files\Mozilla Firefox\xul.dll+2e41379|C:\Program Files\Mozilla Firefox\xul.dll+2e41095|C:\Program Files\Mozilla Firefox\xul.dll+2e44d7b|C:\Program Files\Mozilla Firefox\xul.dll+2e5c7ed|C:\Program Files\Mozilla Firefox\xul.dll+2e688a8|C:\Program Files\Mozilla Firefox\xul.dll+2e67ca4|C:\Program Files\Mozilla Firefox\xul.dll+2e4bbd0|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000018491810Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:01.999{CBEA6AB7-55E4-619B-9101-000000000F02}59884704C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+23d0188|C:\Program Files\Mozilla Firefox\xul.dll+22ae5e1|C:\Program Files\Mozilla Firefox\xul.dll+22a8f7a|C:\Program Files\Mozilla Firefox\xul.dll+2e48030|C:\Program Files\Mozilla Firefox\xul.dll+2e614fa|C:\Program Files\Mozilla Firefox\xul.dll+2e41379|C:\Program Files\Mozilla Firefox\xul.dll+2e41095|C:\Program Files\Mozilla Firefox\xul.dll+2e44d7b|C:\Program Files\Mozilla Firefox\xul.dll+2e5c7ed|C:\Program Files\Mozilla Firefox\xul.dll+2e688a8|C:\Program Files\Mozilla Firefox\xul.dll+2e67ca4|C:\Program Files\Mozilla Firefox\xul.dll+2e4bbd0|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80 23542300x800000000000000018491826Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:03.661{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DBC0C573874276C2CF388C4085B61E,SHA256=AE8210050F0EECF1F7155AB9685C5F9C45F32F7AFEE50DF5DA7A167E8CC294B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253544Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:03.897{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD3836221176046F7D9D662ED53A4C6,SHA256=5D4BE0BC520F12C839ED2BD734B4871F4010A109FFE525E7F699A0F5CB5E6A91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491828Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:01.287{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60581-false104.244.42.1-443https 23542300x800000000000000018491827Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:04.682{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED09668285040C9C72FD1E52EA0A7399,SHA256=A14E64A6B013B9E2EA2AB02941BB61357E4DDE773D439919062435603DF83F77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253546Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:04.928{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865234055276418100323A2F666826A7,SHA256=DA8CE33C5E47C3B4D541229469A6919BA4D33045A9B1D2F976764589686D4D73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253545Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:01.330{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53595-false10.0.1.12-8000- 23542300x80000000000000001253547Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:05.960{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B80000227778E653D93D0E308EFAD3,SHA256=4AFE9B65CFFA7D26578CE6C14707099078F44E76973A0DD062F935D1B379746B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491829Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:05.698{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFFAB09182A5AA81CA132D9F09125CD,SHA256=7E9B7EE14C765681767CE3658ACC9B532D0655EC3E41B6FE40E2881F7DFA34B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253548Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:06.991{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E209A9D26A2FA0D9ABF4EF2812204536,SHA256=63C926890E5B9A47BB2E6DA760E2D988FF3D951C223791059773A2E9D014E81D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491831Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:03.319{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60582-false10.0.1.12-8000- 23542300x800000000000000018491830Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:06.713{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4703EA3ABD7FC9E77953F65008D9030B,SHA256=8ED84989AD11C5A8127214472709BA4EB2FB242A76566D3FE45EB07B92C2CDD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491834Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:07.728{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359A62349D7E0768B6590A95729DDF69,SHA256=B4138A659CEA8FAD9E648A9EC0EFF974079802E2176D666DDE37D219326307CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491833Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:07.613{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A84DF01F8EC1327D86AA112AC4DBD242,SHA256=6B4CD1E1EAB8B1E1108848F4DCAFACC5528A57F3775569CE72D440A4A12BC850,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491832Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:07.613{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7537498F9759B25A96EA740826D40A7C,SHA256=0D57B19CC0D5A452048B3DA8BA0645A60BF1933BCB9B0E46186F5860CE88E87D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018491923Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:04.576{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-37240-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491922Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.844{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5CB15733BD8E3CA24D0CECFA6CC469,SHA256=7F3AF9A7E913EE6FB6AD0A01471E8DAC6D0966B4FB294681382C5C0F2511773B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253549Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:08.006{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C669090355BD3B2F5070CB1410241E,SHA256=1FDAED324964E8F5594362332BDB5026E27801F02688B0700FE3F8A9987B0ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491921Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.513{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D1A223D0F66852A353CAE8DF57EABA,SHA256=31985E2E7EC6AAE69804A469837BF34C9378B97983B66755D4FEDC96B5D0E76C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491920Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.259{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491919Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.259{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491918Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491917Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491916Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491915Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491914Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491913Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491912Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491911Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491910Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491909Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491908Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491907Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491906Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491905Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491904Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491903Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491902Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491901Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491900Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491899Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491898Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491897Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491896Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491895Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491894Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491893Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491892Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491891Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491890Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.252{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491889Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-4F7F-619B-0B00-000000000F02}632828C:\Windows\system32\lsass.exe{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491888Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-4F7F-619B-0B00-000000000F02}632828C:\Windows\system32\lsass.exe{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491887Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491886Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491885Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491884Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491883Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491882Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491881Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491880Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491879Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491878Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491877Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491876Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491875Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491874Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491873Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491872Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491871Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491870Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491869Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491868Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491867Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491866Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491865Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491864Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491863Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491862Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491861Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491860Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491859Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491858Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491857Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.212{CBEA6AB7-9818-619B-EA09-000000000F02}48327604C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491856Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.128{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491855Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.128{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491854Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.128{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491853Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.128{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491852Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.128{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491851Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.112{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491850Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.112{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491849Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.112{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491848Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.112{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491847Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.112{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491846Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.112{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491845Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.112{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491844Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.112{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491843Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.059{CBEA6AB7-4F82-619B-1600-000000000F02}13048028C:\Windows\system32\svchost.exe{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491842Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.059{CBEA6AB7-4F82-619B-1600-000000000F02}13041344C:\Windows\system32\svchost.exe{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491841Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.043{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491840Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.043{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491839Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.043{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491838Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.043{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491837Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.043{CBEA6AB7-5525-619B-4D01-000000000F02}1268524C:\Windows\system32\csrss.exe{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491836Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.043{CBEA6AB7-9800-619B-E009-000000000F02}50205668C:\Windows\system32\cmd.exe{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491835Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.051{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe2.11Web Browser Password Viewer-NirSoft-WebBrowserPassView.exe /stext c:\temp1sdasdadaC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{CBEA6AB7-5527-619B-F481-110000000000}0x1181f42HighMD5=F3D20449BAB41301AEFAD304CB02773B,SHA256=C41216EEE9756A1DCC546DF4FE97DEFC05513EED64CE6AC05F1501B50E6F96CC,IMPHASH=6CDE2F49ECF3CC2F14739BABAA8FD75F{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Administrator\Downloads" 23542300x800000000000000018491925Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:09.858{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76DF479C6264EC742B3D526955162DD2,SHA256=D22613CF89251BBD8678AA27F79637C974EF9516A19A945D094D4D1C07C20B13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018491924Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:09.077{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A84DF01F8EC1327D86AA112AC4DBD242,SHA256=6B4CD1E1EAB8B1E1108848F4DCAFACC5528A57F3775569CE72D440A4A12BC850,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253551Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:07.314{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53596-false10.0.1.12-8000- 23542300x80000000000000001253550Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:09.022{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398D226B1AD11E2ABBC7F1490707CC71,SHA256=659F7755B96D34AA54DB9461FA490BF03BC2DEF763DC9C9BB25B4846170EFFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491936Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:10.878{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB1E8BBA9BE8EA736B9A9A4747FE7DB,SHA256=9D5DC895CE27B9890EB4093A557634C1B627A49AC8B7081738D1660BD6D37B1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253552Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:10.069{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B09795DB3BAA25111859DE1800DAA6F,SHA256=618349950C50E468596748A3179C35F854F74C15ED739BC87C370836210BEF92,IMPHASH=00000000000000000000000000000000falsetrue 534500x800000000000000018491935Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:10.479{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exe 10341000x800000000000000018491934Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:10.479{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491933Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:10.478{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491932Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:10.478{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000018491931Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localDownloads2021-11-22 13:16:10.477{CBEA6AB7-9818-619B-EA09-000000000F02}4832C:\Users\Administrator\Downloads\WebBrowserPassView.exeC:\Users\Administrator\Downloads\WebBrowserPassView.cfg2021-11-22 13:15:10.724 23542300x800000000000000018491930Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:10.477{CBEA6AB7-9818-619B-EA09-000000000F02}4832ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\WebBrowserPassView.exeC:\Users\Administrator\Downloads\WebBrowserPassView.cfgMD5=000195C6A685B7989C1FB26C7E4228D9,SHA256=2D0A6961D68A8C1315A54CEB07D8D787F57704588F5FDFDD361BC55FC1A7FB27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018491929Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:10.458{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491928Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:10.458{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491927Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:10.458{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491926Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:10.458{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018491937Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:11.895{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DFC7ADC5A9E30CC30926FADB812552,SHA256=07E681906908ED91B07DBFEC17FAAE5A074275D09F2ECEF4086977BC99A07343,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253553Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:11.100{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A08EE7458E9C8E838DEBEC6E514F12,SHA256=986AFC2E3DC31AAABCF31C048FD2B2DF5D7C967B956A28D4E3083BAC61DCEB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018491940Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:12.910{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A0FE8B8E6E258112674F24D8480D7F,SHA256=51916DB6EDCEA9434F1B55754B09EE92F28B8053D57E12830372739987E64AEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253554Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:12.103{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E90FA0BA052BB672D7F309C589D8B91,SHA256=8A59AAFB97BAD7D274F2D5AFCBD6EBF77BAA27120D68664A5E24D2165852E976,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018491939Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.415{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60583-false10.0.1.12-8000- 354300x800000000000000018491938Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:08.258{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.88.253.3838.253.88.34.bc.googleusercontent.com63287-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018491941Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:13.924{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE6D32A0D1D1D8089A374A51DD8769F,SHA256=F67C7178B82AA7CC4D5F34F4B53619782461BF1D650CEFF28A49051EEC3EE85E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253556Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:13.157{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE39A6F85DACE1DA01D7D6CCB86E9DCA,SHA256=F9859133329EB6791D535D356A48140B77F536B92286958488E020BB49FBDF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253555Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:13.155{068A336D-4F85-619B-1D00-000000001002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\respondent-20211122080631-301MD5=2BDDF39925470B8EC963509AF6294792,SHA256=55F3B8F2085B1B773D0157DE95B74DA236A1C8442DB52BE5C71968FDD2B7F483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253558Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:14.169{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F900BCE30C044EEF694F5500DD3193E5,SHA256=F3CA038517EE96A2F3E93FE397C20483E2ED178323D9FE0C89981143B46CDA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253557Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:14.167{068A336D-4F85-619B-1D00-000000001002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\surveyor-20211122080629-302MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492028Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.340{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239001F999B82459C91C8EBEAABAC797,SHA256=82B6BD18AFD89FFB8A36977556C3ABDD31C104F13280F20E4681C09E714AFB60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492027Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.325{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492026Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.325{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492025Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.325{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492024Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.325{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492023Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.325{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492022Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.325{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492021Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492020Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492019Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492018Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492017Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492016Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492015Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492014Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492013Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492012Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492011Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492010Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492009Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492008Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492007Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492006Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492005Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492004Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492003Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492002Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492001Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492000Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491999Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491998Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491997Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.309{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491996Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-4F7F-619B-0B00-000000000F02}6322488C:\Windows\system32\lsass.exe{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491995Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-4F7F-619B-0B00-000000000F02}6322488C:\Windows\system32\lsass.exe{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491994Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491993Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491992Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491991Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491990Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491989Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491988Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491987Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491986Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491985Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491984Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491983Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491982Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491981Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491980Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491979Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491978Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491977Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491976Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491975Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491974Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491973Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491972Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491971Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491970Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491969Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491968Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491967Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491966Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491965Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491964Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.294{CBEA6AB7-981E-619B-EB09-000000000F02}76286612C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018491963Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.209{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491962Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.209{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491961Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.209{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491960Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.209{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491959Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.209{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491958Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.193{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491957Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.193{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491956Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.193{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491955Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.193{CBEA6AB7-5528-619B-5E01-000000000F02}45046940C:\Windows\Explorer.EXE{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491954Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.193{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491953Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.193{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491952Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.193{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491951Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.193{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491950Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.140{CBEA6AB7-4F82-619B-1600-000000000F02}13041840C:\Windows\system32\svchost.exe{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491949Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.140{CBEA6AB7-4F82-619B-1600-000000000F02}13041344C:\Windows\system32\svchost.exe{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491948Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.125{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491947Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.125{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491946Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.125{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491945Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.125{CBEA6AB7-4F81-619B-0C00-000000000F02}8327428C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491944Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.125{CBEA6AB7-5525-619B-4D01-000000000F02}1268524C:\Windows\system32\csrss.exe{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018491943Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.125{CBEA6AB7-9800-619B-E009-000000000F02}50205668C:\Windows\system32\cmd.exe{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018491942Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.126{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe2.11Web Browser Password Viewer-NirSoft-WebBrowserPassView.exe /stext c:\temp\1sdasdadaC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{CBEA6AB7-5527-619B-F481-110000000000}0x1181f42HighMD5=F3D20449BAB41301AEFAD304CB02773B,SHA256=C41216EEE9756A1DCC546DF4FE97DEFC05513EED64CE6AC05F1501B50E6F96CC,IMPHASH=6CDE2F49ECF3CC2F14739BABAA8FD75F{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Administrator\Downloads" 354300x80000000000000001253560Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:13.332{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53597-false10.0.1.12-8000- 23542300x80000000000000001253559Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:15.385{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE1EE0DF1A1B3D5C68366F0F575BC6C,SHA256=4D89345E0BA51D3EE9BC391B6152BD8D19CAFD63DD3A116DF041B48D4D63D558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492031Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:15.455{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D0E623A3AC1102876D37A42B7F721F9,SHA256=B2B286389C381297BB303D49F13EAA196CBB06F2FFBE08A8351DB391050A5B4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492030Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:15.455{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB54A6AEDF1E71ECEC339AAB770CC9C4,SHA256=4C1A47E2A631E350B9BFBCF391B42CEB055D748285DA104871EE89DF24686001,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492029Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:15.455{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F73218C794E4385C6858705232517DE9,SHA256=585105C8138E325376735CE54F444D50E44889E760A6586A0175EDDDF5D8E2C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253561Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:16.635{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E54C6AE0C8295524365AB4C2C0EAF5,SHA256=3AEEF724D50B51BDE81EBB9C2263622BA47AE7A5719B5120A3DE9DC2376D9418,IMPHASH=00000000000000000000000000000000falsetrue 534500x800000000000000018492042Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:16.607{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exe 11241100x800000000000000018492041Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localDownloads2021-11-22 13:16:16.591{CBEA6AB7-981E-619B-EB09-000000000F02}7628C:\Users\Administrator\Downloads\WebBrowserPassView.exeC:\Users\Administrator\Downloads\WebBrowserPassView.cfg2021-11-22 13:15:10.724 23542300x800000000000000018492040Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:16.591{CBEA6AB7-981E-619B-EB09-000000000F02}7628ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\WebBrowserPassView.exeC:\Users\Administrator\Downloads\WebBrowserPassView.cfgMD5=000195C6A685B7989C1FB26C7E4228D9,SHA256=2D0A6961D68A8C1315A54CEB07D8D787F57704588F5FDFDD361BC55FC1A7FB27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492039Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:16.591{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492038Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:16.591{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492037Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:16.591{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492036Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:16.591{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492035Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:16.591{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492034Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:16.591{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492033Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:16.591{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018492032Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:16.472{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2F29507C262D3A99E704E11A0081C0,SHA256=06AFD5166E1226F738DAA1D6877F6E11F3C3762FEF19376DD9210609CF155CDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492044Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:17.821{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D0E623A3AC1102876D37A42B7F721F9,SHA256=B2B286389C381297BB303D49F13EAA196CBB06F2FFBE08A8351DB391050A5B4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492043Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:17.490{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1F06E3194D961C620B1CEDEDC4CDEA,SHA256=1F0FD83DFF46DBFB6913977D16C8A516A1054327A67F9A3E36DBE510D5ECFC85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253562Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:17.666{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4C30B89B7F52D2080C58DE05ABDF7B,SHA256=778C24065024B721F344A7220D3240F3B2DBAFD640DA40E793726C6BF50A35AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253563Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:18.682{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6815CF1451AE6018E7BD7B60CC2770F9,SHA256=11D2EE0AF6012AB07AF8732A6198037B785B4DD755E7244735F7C21395EF6CCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492049Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:18.774{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492048Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:18.772{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492047Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:18.772{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018492046Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:18.521{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82D3AE8E62739E945D567EC284E8FC9,SHA256=DA23CCDC30EAB424300246032EE2F0E7FCAC6D66AA1A46C8343D6AFEA08A8D49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018492045Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:14.330{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60584-false10.0.1.12-8000- 23542300x80000000000000001253566Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:19.698{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D118DF53B98488C28F7EBF45C13536F,SHA256=3657EE057DA8E8B11D265B27E352DBABB8A51AB5B1CC7DF37271AECF34966D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492052Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:19.751{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492051Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:19.535{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36DB51A5B675E1C336B22730743C432,SHA256=5231CB3879E510D7387604C79BDD4A5E0D3B594B1933CB1D9DA40184E37D0250,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253565Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:16.606{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53598-false10.0.1.14-49672- 354300x80000000000000001253564Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:16.475{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-53570-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000018492050Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:15.599{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53598-false10.0.1.14win-dc-970.attackrange.local49672- 23542300x80000000000000001253568Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:20.713{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908AFAE10A667A8D8E06231B63A95803,SHA256=C1F1DD210F49BD2E28CD4D156B832EECF75CA01142F6DB05F2B21460953BE560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492054Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:20.551{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817D15ACDFBC334F711A1A92DE15C21E,SHA256=6B7EE7D18EC2BECBE10E76542A3B827DBEA466875226B12F6FC6E72A1D0F1F51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253567Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:18.168{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-49100-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000018492053Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:20.136{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D130C8CBC7C6B94EBBC981B47269632,SHA256=7D5632A3A6CE0E4D065CAE1577ADE519DA0145F4DA56B9B4B043FA27D05CDB2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492056Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:21.570{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FCB96BD3A1D9BBFC8044DC508400095,SHA256=B16FD57B7B854394F6E9566417813286056220129834FA503C3A89EE0C6DCD0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253571Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:21.729{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E783C88FA4AB64D8E42D2A39BF375575,SHA256=47366D8875D38C9A90FEB882D0002D3F0CF1D2F73F2DB76C5DF1E04E5DF34CE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253570Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:18.490{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53599-false10.0.1.12-8000- 354300x80000000000000001253569Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:18.485{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-57754-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000018492055Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:17.236{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-36066-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492058Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:22.620{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0275AA9939AD33BFA38355E250CA07,SHA256=2542F627F1C92D48B0BCD0460113D5A71F75B0BD3D199FF99730B9BBF573FB86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253572Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:22.729{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A32683FDFBC241123187AAE4923D9E,SHA256=5D89C686A7DA005981E5AA66EEF31F2878FCAA8413BC7A7A042E1A2E461DBACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492057Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:22.024{CBEA6AB7-4F8F-619B-2E00-000000000F02}1156NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\respondent-20211122080641-301MD5=A1D0D577F42544DD772EFF490FF2796C,SHA256=BAF9C27C7C1429C61A9430176677A01FBBE9BC9408F59946D1FBAFE42606F366,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253573Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:23.744{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ECEE947C048EBA5C9D3304595CCD1B,SHA256=E1CC4EFC163590DD6C222446C2B51BC7236CFAB6EEA1BEDBBDD5D071EB1CBA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492061Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:23.635{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AF9493BE3B38F2956902D2E6F62107,SHA256=569FD6F3E739329BF1CDB2A4D99B9614E4F0C167277423C94FDB31AF3BB1D91D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018492060Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:19.442{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60585-false10.0.1.12-8000- 23542300x800000000000000018492059Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:23.036{CBEA6AB7-4F8F-619B-2E00-000000000F02}1156NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\surveyor-20211122080639-302MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253576Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:24.760{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262ADFAFE7D0DD902FF414D7BADBE83B,SHA256=CC4590EF9A85D0A9AD5D997EAD66AAAE1C778820C89582782C247FC0C08013DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492062Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:24.650{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE7915C1BB14C11FE2E412270EABF3C,SHA256=A566A6C8A24FCDD817D65512BC9FDCC4A039CDD1F1D5901CF7A124955E5A5BFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253575Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:22.023{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-57554-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253574Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:21.611{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-36372-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253577Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:25.776{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8576E9662CD6C9BE3FC386E6427DE6,SHA256=40BB6241DF66B26604557946E7C8028B1BE40F500C0B91B8C65D8337F98FD65E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492063Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:25.667{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352DBA5FCD443F8D8CD4768D824DE812,SHA256=13868310B9AEF97453A0D1C1C1BFB4C96541C8D8162C84CAF2F71802AB762F4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253578Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:26.791{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16491E2B271364426784509EC942374F,SHA256=07F1F62112938C28D5C9B45C5E93F2D0746AC58F093DA60307522A2372BDC459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492065Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:26.687{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D42012CD5CDB73C52F744AE80A53B4,SHA256=183DC09B6B7DE352E5B5486091F62EB205FCC6582410ABB8FD307F2E6D29286B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492064Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:26.348{CBEA6AB7-4F7F-619B-0B00-000000000F02}632828C:\Windows\system32\lsass.exe{CBEA6AB7-4F61-619B-0100-000000000F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x80000000000000001253581Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:27.791{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FB932382FD6862519798EB1B727752,SHA256=6B1E416BE462FB00807EE46DC03F39528D5F77565EA46713135E0552216F6CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492075Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:27.718{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B51B7FB4C1477F5AE9F3D136252FDAC,SHA256=0D452FE28B872FCF14AA79D40F2486932A1FA8CF2F14E43050ACE454C0C8D708,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253580Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:24.891{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-39194-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253579Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:24.489{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53600-false10.0.1.12-8000- 10341000x800000000000000018492074Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:27.402{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492073Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:27.402{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492072Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:27.402{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492071Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:27.402{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492070Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:27.402{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492069Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:27.402{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492068Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:27.402{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018492067Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:27.349{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF33903C1575D07BF634A5E9A4165810,SHA256=1C661794AD31E44EF70CA601485FDBC12EA9EBF8F46E0FCF481646E9ACB08A66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492066Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:27.349{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D3DC0B1366D6A6389414206E3807158,SHA256=75792209E757A0F7D64BF49D5B4EE3E00F9DAD71679BD6AAC518A9483C01D23E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253583Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:28.808{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70924C0A261DBE1CC5C0ACE0FEFF993,SHA256=4D5253D30F0ACACCAC24F54988403732CFB8A8D5E1E0368CA226FF0A0C79F6AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492087Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:28.948{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492086Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:28.948{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492085Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:28.948{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492084Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:28.901{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492083Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:28.901{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492082Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:28.901{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492081Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:28.901{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018492080Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:28.732{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F9A03200E629BE938A63CC8D1EE2E4,SHA256=C58DD1EDB4068F966DE2B6D2785A46AA1FD66C5A9A073DF4B7D0CD266D704347,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253582Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:26.398{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-42214-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x800000000000000018492079Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:28.469{CBEA6AB7-4F82-619B-1600-000000000F02}13046240C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2C00-000000000F02}2976C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492078Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:28.469{CBEA6AB7-4F82-619B-1600-000000000F02}13046240C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2C00-000000000F02}2976C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018492077Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:24.588{CBEA6AB7-4F61-619B-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60586-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local445microsoft-ds 354300x800000000000000018492076Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:24.587{CBEA6AB7-4F61-619B-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60586-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local445microsoft-ds 354300x80000000000000001253585Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:27.273{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-43988-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253584Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:29.823{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3EA363FF91AEFE4BFC7050E1081836,SHA256=5B34B5712A61D97CB103470FD8ABDE8A083A74FDA956F08C801FA6243E509E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492091Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:29.984{CBEA6AB7-4F82-619B-1100-000000000F02}436NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=28A0290F69A85D83363F5A4DA26D5442,SHA256=728B328B759C9A99403D4F3369A9A7D7389881FE3CB18AE8DB171DFECDCB3306,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492090Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:29.747{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A97CE580BA17790688F69C0F9DA45B7,SHA256=67F2416330C7702341D46220146DA33B4DA94069D494907FC2EEA979E3E6E255,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018492089Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:25.456{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60587-false10.0.1.12-8000- 354300x800000000000000018492088Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:25.093{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-47114-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x80000000000000001253586Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:30.838{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FD95E41E3B76C6AEF2B77400ABDD6D,SHA256=41DBCF132A88D18129D0E54DEDEAC78C527532B2BD47883A88D531CECE85FE73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492100Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:30.883{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492099Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:30.883{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492098Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:30.883{CBEA6AB7-5528-619B-5E01-000000000F02}45041640C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492097Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:30.883{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492096Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:30.883{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492095Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:30.883{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492094Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:30.883{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018492093Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:30.764{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE15C6CB2699327AABA10F8BC9813C9,SHA256=98F4A04A40831ACE76B7FA67740CF0286E01AE32CE1367D01BC498F3B7C750F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492092Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:30.365{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF33903C1575D07BF634A5E9A4165810,SHA256=1C661794AD31E44EF70CA601485FDBC12EA9EBF8F46E0FCF481646E9ACB08A66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253599Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:31.850{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABABE67A02706406A11BF32EEC3CD955,SHA256=C86BF9D541C30069F8BDFFCE2545928E31A8FFCF4A773487285FE9D78C9E6A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492103Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:31.783{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0218F25D3279A566AAC474B1B706F9,SHA256=5035A88BBD3E09F4BF65EE7A30583F9D97300A26EB379A937324FE0B92D5DD99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253598Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:28.835{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-51894-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253597Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:31.666{068A336D-4F84-619B-1200-000000001002}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3E695AFCBD9528A3F9DDF3D0DAB9B7C0,SHA256=FA9EDD8EBB89539F8250777852D9C24C05D3BF4922F41A033F4290018F0701D8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001253596Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-22 13:16:31.651{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001253595Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-22 13:16:31.651{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x011c9209) 13241300x80000000000000001253594Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-22 13:16:31.651{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7df9a-0xc8423a09) 13241300x80000000000000001253593Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-22 13:16:31.651{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7dfa3-0x2a06a209) 13241300x80000000000000001253592Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-22 13:16:31.651{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7dfab-0x8bcb0a09) 13241300x80000000000000001253591Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-22 13:16:31.651{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001253590Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-22 13:16:31.651{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x011c9209) 13241300x80000000000000001253589Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-22 13:16:31.651{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7df9a-0xc8423a09) 13241300x80000000000000001253588Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-22 13:16:31.651{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7dfa3-0x2a06a209) 13241300x80000000000000001253587Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-22 13:16:31.651{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7dfab-0x8bcb0a09) 23542300x800000000000000018492102Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:31.699{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73EF91B5B8BC4814296695EC5DAFB4E2,SHA256=F76EB3CB8F95BE3555D4FFB861C422A7E745BC36FC46E07522165B5C65E33FF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018492101Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:27.494{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.39.68.202ns342796.ip-5-39-68.eu63812-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x80000000000000001253601Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:32.851{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D84B354AC395AF3ED666628E1B0F5F9,SHA256=EC6829C10275AC92B1A1143B7B0D779D2C130D59D93FE139517602110C967057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492104Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:32.785{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC9FE5F7FF1502C436606A966ACACB6,SHA256=07C4A8557055560DD3E8F61E2D16D0DF52A199CFFD99498D91153DE73CB64B7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253600Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:30.380{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53601-false10.0.1.12-8000- 23542300x800000000000000018492106Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:33.800{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E44D75A31598ADFD64439E16CE3D9B6,SHA256=148E450F347A9C3840A1B02F6B3F4DBF823EEB6AE7C915647EA3734F0E774119,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253602Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:33.867{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2CDF5BA848F58FE6F0572B04C89AEE,SHA256=5CC362AEA52C68DDFF8FEABF08B5064EE1F223A8983C6691418668848DFA52E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492105Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:28.792{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-55296-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x80000000000000001253603Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:34.882{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5EACD7E1AC0918BD4EC83FD8EC7C604,SHA256=AEB33DEDD1078C8071A03D621E290B53C03D6631A0D0F0420BE9EB6F5E3D73C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492110Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:34.815{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D617A7915352BD02813E282B53758D,SHA256=0D8B2A634A12827B28C9CEC7B560DDDA79AA6F602749F91164DE0FDC33126482,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018492109Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:31.237{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-60702-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018492108Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:30.499{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60588-false10.0.1.12-8000- 23542300x800000000000000018492107Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:34.147{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=601F08C3A701423DB121271185510837,SHA256=4DC8E6DD9F8C784D6D557BEDF0CC29DF4DD4A351EA30C4A007320D7579AB6896,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253604Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:35.882{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB9F2D83C09416AD39281C16256E142,SHA256=1C4A07133BE9C1E67903BB620A181603FC05724F15016DD0B0890AB01249A14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492111Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:35.830{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D94AC70B6453EBFC82C76C92CDEC991,SHA256=E579C66EC231652C789A3D838BB5BD14C91D2333AAEF3A86DA63D8ED8ABC2F74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492113Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:36.882{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05E21199E03D6E5604D833EAB6ED8589,SHA256=5F3DD945D5E152217FE42237EDEAA704816EEA08B8FD78E1B2A56CFF2599BE06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492112Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:36.844{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D786CCB34ACAAB0B6BDDF603F1290A0,SHA256=C0A9087D7A85E6116D0187556D2BD7FD3D9C07DFF81EFFF0B35C5648EE412FEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492115Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:37.862{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9466A4FF4FB8683A08382F79929E88F2,SHA256=F96922F25FA126139155911A599B8E87D5F611450C7E9F24AC53AFF7DDFB4E4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253605Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:37.101{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2AC31D769B73E797EC2D0989319ED2,SHA256=E6FC4B4010F2702826158CB8554B3279EC913AF867FA8F7201C8FB4BF3762701,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492114Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:33.960{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-43664-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492117Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:38.881{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9D0C49E028E03E7563B41D9B8FB6E9,SHA256=75E99B6B5C3368EBD69B240A47764E432A581907466F2993FD07193FE670AC65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253606Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:38.179{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B739703C820F25EF9491DC5595743C2,SHA256=79242C729C5D39A43D530AA0C4DD54320A9F96192BE4D9E499C031405DECF58C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492116Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:38.112{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22C0F32837095840AE623117F4DB40D4,SHA256=B58B24123308F7A7E5899CB6A5C586AE09409C73EBD4BF8BDF4B1856140E06D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492121Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:39.896{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4497A24B647F253A81C053365B915EF2,SHA256=90F2BC95ABFAA7CBBAD7533018100ECF6273764044E41218BBC311563E4D67A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253608Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:35.487{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53602-false10.0.1.12-8000- 23542300x80000000000000001253607Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:39.211{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D11E1A497B06C48748F8131E81AC9A6,SHA256=FD6A21EF2297204C9443E741279BEC0836818CD02F406B39E4C51CD1681D3DD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492120Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:36.462{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-43646-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018492119Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:36.281{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60589-false10.0.1.12-8000- 23542300x800000000000000018492118Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:39.396{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A24706E45FB1C387B81F5D6EA755015A,SHA256=88B1406F6B0158F7B95FFD68E743C8B0BB93CE14022503DD37B2A118E62EE049,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492122Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:40.927{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050BFD1887E77EEEA0CBEE5BB640C8CC,SHA256=75C7AEE2DA99E1515D8283AE74E21A6A9F2C9F7AFACADE9DCC94D53A3C937D01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253623Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.648{068A336D-9838-619B-1A09-000000001002}35083572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253622Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9838-619B-1A09-000000001002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253621Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253620Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253619Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253618Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253617Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253616Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253615Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253614Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253613Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253612Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-4F82-619B-0500-000000001002}416532C:\Windows\system32\csrss.exe{068A336D-9838-619B-1A09-000000001002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253611Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9838-619B-1A09-000000001002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253610Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.461{068A336D-9838-619B-1A09-000000001002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253609Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:40.242{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C261A25C8AC910F765FF4136D750C2BE,SHA256=C5324203BCC0820A55B03B5590D9A92333570A5947B6EADA4A7C520906522100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492124Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:41.941{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0BEC3169FD0CEE09FA34EDF3486C7E,SHA256=37CE67DB2C456B10FE381FC692C38A3B0FAE65918EEFCB1A63F74406BF637779,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253651Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.789{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82B4B7DD1CB8FC9F1D544EA37BE68AB,SHA256=95EB58B34989922A58E6937D22467E8D85FA187F0C41CA466D4C30A5F055A80A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253650Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:39.457{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-39856-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001253649Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.632{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9839-619B-1C09-000000001002}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253648Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.632{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253647Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.632{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253646Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.632{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253645Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.632{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253644Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.632{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253643Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.632{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253642Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.632{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253641Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.632{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253640Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.632{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253639Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.632{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-9839-619B-1C09-000000001002}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253638Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.632{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9839-619B-1C09-000000001002}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253637Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.633{068A336D-9839-619B-1C09-000000001002}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018492123Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:41.626{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12815648153685AD856BB77D4ED837DA,SHA256=A18BBA9818C9D275A6528ABF50F249595F0851FDE312779F8595B58D6429E58D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253636Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.132{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9839-619B-1B09-000000001002}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253635Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.132{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253634Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.132{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253633Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.132{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253632Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.132{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253631Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.132{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253630Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.132{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253629Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.132{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253628Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.132{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253627Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.132{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253626Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.132{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-9839-619B-1B09-000000001002}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253625Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.132{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9839-619B-1B09-000000001002}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253624Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.133{068A336D-9839-619B-1B09-000000001002}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253652Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:42.664{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5122D83FBAAA1F8BAD2834FDF510A4,SHA256=EA8019442DA9809E75B01F0C8F04B66B53AFA5EF9E8A5AF79E226F8914DC280B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492183Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492182Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492181Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492180Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492179Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492178Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492177Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492176Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492175Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492174Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492173Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492172Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492171Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492170Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492169Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492168Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492167Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492166Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492165Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492164Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492163Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492162Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492161Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492160Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492159Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492158Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492157Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492156Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492155Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492154Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492153Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492152Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492151Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492150Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492149Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492148Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492147Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492146Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492145Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492144Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492143Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492142Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492141Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492140Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492139Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492138Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492137Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492136Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492135Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492134Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492133Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492132Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492131Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492130Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492129Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492128Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492127Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492126Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492125Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:42.810{CBEA6AB7-4F81-619B-0D00-000000000F02}892912C:\Windows\system32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253666Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.992{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253665Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.992{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253664Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.992{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253663Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.992{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253662Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.992{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253661Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.992{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253660Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.992{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253659Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.992{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253658Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.992{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253657Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.992{068A336D-4F82-619B-0500-000000001002}41692C:\Windows\system32\csrss.exe{068A336D-983B-619B-1D09-000000001002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253656Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.992{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-983B-619B-1D09-000000001002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253655Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.993{068A336D-983B-619B-1D09-000000001002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253654Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.789{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3650B4E0E5043B036C3C571775D0B777,SHA256=6142745AE1A302EECA05A9F53D2DD405E66DF20E8054D24ABAC76838E2628E0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253653Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:41.315{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53603-false10.0.1.12-8000- 23542300x800000000000000018492187Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:43.741{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018492186Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:38.679{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-49238-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492185Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:43.094{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5432EA167120414E44D3E325F8F453E,SHA256=77236963CE62CC6F022E7F0A969BE5720BE29696E153CEFFDE086E377F760029,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492184Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:43.094{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27787EF5C3E059978DF9C7A6EB1CFD3B,SHA256=A17A5D46FCABA8044808AEFFBDD7EF80773373104241C89A267EF2D45AB4F9FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492189Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:44.808{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=150BE99B7C1FD8CABF72CC2031258B15,SHA256=5D605564538E3BCF67BB26AE795B228211E1FC11AEB1EF87B7E778A466B563B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492188Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:44.109{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B364BBA8FBB307DEEE9D1AA5D176660F,SHA256=4B15B07B27E851EDAE00E96A8DBD8A573EFA3AF456109642E599DBCD2C14E904,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253682Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.632{068A336D-983C-619B-1E09-000000001002}38923736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253681Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.492{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-983C-619B-1E09-000000001002}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253680Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.492{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253679Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.492{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253678Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.492{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253677Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.492{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253676Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.492{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253675Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.492{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253674Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.492{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253673Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.492{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253672Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.492{068A336D-4F82-619B-0500-000000001002}41692C:\Windows\system32\csrss.exe{068A336D-983C-619B-1E09-000000001002}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253671Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.492{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253670Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.492{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-983C-619B-1E09-000000001002}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253669Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.493{068A336D-983C-619B-1E09-000000001002}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001253668Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:44.211{068A336D-983B-619B-1D09-000000001002}32442984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253667Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:43.992{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-983B-619B-1D09-000000001002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253697Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.382{068A336D-983D-619B-1F09-000000001002}508940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253696Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.211{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A88CB40894B087B4980CA0A93307986,SHA256=4F0976E3BC55877AB778C82193FFE999E8B2F56A5C88371A6D9F99CE26F0A691,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001253695Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-983D-619B-1F09-000000001002}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253694Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253693Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253692Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253691Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253690Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253689Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253688Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253687Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253686Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253685Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-983D-619B-1F09-000000001002}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253684Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-983D-619B-1F09-000000001002}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253683Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:45.164{068A336D-983D-619B-1F09-000000001002}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018492191Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:41.351{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60590-false10.0.1.12-8000- 23542300x800000000000000018492190Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:45.139{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525332CAC10C902E71AD774FB6F983DB,SHA256=00544FF137B170A80EC10A0EBC51CB964EE4B04EB653CD2DB2BAEA5A04153D08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492192Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:46.156{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBFC43DBC705B89F5B6CCE86166E703,SHA256=5669854599F6FF530358BB4EE56AF489B046EE2281F6FB47CFA85A4039FFD75B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253698Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:46.351{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC3F6E2FF1B900E5CE53CC6562763EB,SHA256=5281F6ECBC31544163E3D3651EA42FF72EEAC69A5A6D9C458E69063E4AD90C05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492196Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:43.989{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-60652-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492195Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:47.376{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=880A1A078C02321CBB2B9B1C214AB544,SHA256=5C86889F64FCD767932F29E0F4D857C70C4B998EBFF9FFCF8815BFD62902AF17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492194Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:47.376{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2B9D62A2EEA999BB1A5825D20E5DD8F,SHA256=8B48448374D7B0B399D9AA9858F43791C394E2AB1A4841673B09178A9CD239CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492193Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:47.177{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9B2798615FDE998187959B06AC1503,SHA256=F101ED2F9858B365A1E2A15314FE8BAA743994887FE9ABBB90F569170F7A99DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253700Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:47.492{068A336D-4F85-619B-1F00-000000001002}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253699Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:47.367{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA0A78833F367C6EF0D49B645EFD294,SHA256=0C93B5CE89AB8ECB93A72ACE097F8923B98164BA67F64F831566E97C095ACADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253714Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.383{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416FB76F0EAD2BD0225430601DA84FC6,SHA256=525D8509AEA39E448941142C6EBC6C9DDFC7F49B040F00B52BC62999E856A47C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492207Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:48.959{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9840-619B-EC09-000000000F02}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492206Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:48.957{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492205Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:48.956{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492204Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:48.956{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492203Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:48.956{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492202Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:48.956{CBEA6AB7-4F7F-619B-0500-000000000F02}412528C:\Windows\system32\csrss.exe{CBEA6AB7-9840-619B-EC09-000000000F02}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492201Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:48.956{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9840-619B-EC09-000000000F02}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492200Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:48.954{CBEA6AB7-9840-619B-EC09-000000000F02}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018492199Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:45.595{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.39.68.202ns342796.ip-5-39-68.eu56069-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492198Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:48.475{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=880A1A078C02321CBB2B9B1C214AB544,SHA256=5C86889F64FCD767932F29E0F4D857C70C4B998EBFF9FFCF8815BFD62902AF17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492197Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:48.191{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADF055E6B7CCEA8E32E30D5624492F2,SHA256=D0CE0E4F230014A4D4A1C007BC55E7167F9B56AFF1732A3E5FBBCFB6CCBE628C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253713Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.148{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9840-619B-2009-000000001002}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253712Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.148{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253711Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.148{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253710Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.148{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253709Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.148{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253708Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.148{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253707Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.148{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253706Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.148{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253705Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.148{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253704Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.148{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253703Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.148{068A336D-4F82-619B-0500-000000001002}416532C:\Windows\system32\csrss.exe{068A336D-9840-619B-2009-000000001002}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253702Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.148{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9840-619B-2009-000000001002}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253701Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:48.149{068A336D-9840-619B-2009-000000001002}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253718Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:49.414{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467D98F31311B353DF657F3F06A1DEDE,SHA256=0D2B9CC5CEDD6D327E5AAEC7795E04DCCBC8E91D9DFAAFEA108C631FD42A861D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492219Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:49.790{CBEA6AB7-9841-619B-ED09-000000000F02}61846596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018492218Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:46.376{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60591-false10.0.1.12-8000- 23542300x800000000000000018492217Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:49.658{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=955F7BF5B46B657E796EC101B1851A0A,SHA256=210B63626E85462478BB31ABE53569137E0C306A3E324C1B5F78E49833FA2ABE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492216Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:49.621{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9841-619B-ED09-000000000F02}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492215Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:49.621{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492214Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:49.621{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492213Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:49.621{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492212Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:49.621{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492211Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:49.621{CBEA6AB7-4F7F-619B-0500-000000000F02}412480C:\Windows\system32\csrss.exe{CBEA6AB7-9841-619B-ED09-000000000F02}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492210Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:49.621{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9841-619B-ED09-000000000F02}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492209Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:49.622{CBEA6AB7-9841-619B-ED09-000000000F02}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018492208Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:49.206{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2169DDA0DCD00B692E584C138D5AF39D,SHA256=4BD8D19A1A7EBA91393747A92440BE7EEF8501169D6D339D610160748904D7FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253717Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:46.721{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53605-false10.0.1.12-8089- 354300x80000000000000001253716Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:46.503{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53604-false10.0.1.12-8000- 354300x80000000000000001253715Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:46.244{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-57276-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253719Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:50.445{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF3C8A86952B2EC63F513EA446C38E0,SHA256=3C61081D72A7F662CB1B431C232015CC4292440215B513409337AF72A5092E9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492232Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:46.667{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-42752-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 10341000x800000000000000018492231Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:50.620{CBEA6AB7-5528-619B-5E01-000000000F02}45044604C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8032C868D08)|UNKNOWN(FFFFAA62CB725B48)|UNKNOWN(FFFFAA62CB725CC7)|UNKNOWN(FFFFAA62CB720351)|UNKNOWN(FFFFAA62CB721D1A)|UNKNOWN(FFFFAA62CB71FFD6)|UNKNOWN(FFFFF8032C581103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000018492230Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:50.620{CBEA6AB7-5528-619B-5E01-000000000F02}45044604C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8032C868D08)|UNKNOWN(FFFFAA62CB725B48)|UNKNOWN(FFFFAA62CB725CC7)|UNKNOWN(FFFFAA62CB720351)|UNKNOWN(FFFFAA62CB721D1A)|UNKNOWN(FFFFAA62CB71FFD6)|UNKNOWN(FFFFF8032C581103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018492229Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:50.620{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF11ce3f2.TMPMD5=CEFA209DEC3F5881F515D84B472D55C6,SHA256=5E86F15B6F5DF1DF26A2D5D1D0F09756F0C2A2889AA5CA47A1320CC00C52B59B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492228Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:50.258{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9842-619B-EE09-000000000F02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492227Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:50.256{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492226Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:50.256{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492225Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:50.256{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492224Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:50.255{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492223Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:50.255{CBEA6AB7-4F7F-619B-0500-000000000F02}412480C:\Windows\system32\csrss.exe{CBEA6AB7-9842-619B-EE09-000000000F02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492222Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:50.254{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9842-619B-EE09-000000000F02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492221Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:50.254{CBEA6AB7-9842-619B-EE09-000000000F02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018492220Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:50.221{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43F2DDEC7E0E1371BD62CBB86689468,SHA256=96F185DF79A987A51D8D088FAEDFBAEF9286D632CC91662A24471787419FD742,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253720Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:51.461{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E883CD0346D390232256DF4AE2566EF9,SHA256=E224B109C6E83C406799B778196AD538A429965C79C4BAB109A13435D43744A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492242Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:51.935{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9843-619B-EF09-000000000F02}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492241Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:51.935{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492240Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:51.935{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492239Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:51.935{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492238Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:51.935{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492237Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:51.935{CBEA6AB7-4F7F-619B-0500-000000000F02}412480C:\Windows\system32\csrss.exe{CBEA6AB7-9843-619B-EF09-000000000F02}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492236Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:51.935{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9843-619B-EF09-000000000F02}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492235Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:51.936{CBEA6AB7-9843-619B-EF09-000000000F02}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018492234Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:51.273{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EE66701C5BD070156C780AD3E1BAF16,SHA256=9D4E91A8302E0D2A804CF2D2858BF60C241573F5B751DE7E56D4173B074A7335,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492233Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:51.236{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430B67383481EEB04D1F18D241B2588D,SHA256=79FB839E7A9ACEA683FB8DAB815335426A10A084A449B7A07A5AAA2B9706B731,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253721Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:52.463{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F1AD201791E557BB4E05654F6F525B,SHA256=A2FA4A9D8F58665562EDF6D743E3DCDE9B3F167019D539A561A97A2E0BA85694,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492255Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:49.401{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-53632-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 10341000x800000000000000018492254Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.672{CBEA6AB7-9844-619B-F009-000000000F02}74447796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018492253Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.603{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597DFA86EBE1F33B9606F2CE835593EC,SHA256=8BE09BE2F7A53C7823B41A07A123A49116188DF6626F00C9262FC9C5F3134936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492252Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.503{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9844-619B-F009-000000000F02}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492251Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.503{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492250Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.503{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492249Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.503{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492248Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.503{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492247Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.503{CBEA6AB7-4F7F-619B-0500-000000000F02}412428C:\Windows\system32\csrss.exe{CBEA6AB7-9844-619B-F009-000000000F02}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492246Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.503{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9844-619B-F009-000000000F02}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492245Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.505{CBEA6AB7-9844-619B-F009-000000000F02}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018492244Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.272{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F94E20205009923967C40A475B11A5,SHA256=D47D5AF8B1DE034971ADC3F8BD639271EBF1CB7343F10D14C00DC2FDF9EA53A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492243Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.119{CBEA6AB7-9843-619B-EF09-000000000F02}71082592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253722Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:53.495{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571AFEEA70D18F56114D5F731616DDB2,SHA256=360398E6EEB018C1AF98F1F0178B736468F2A9572B3DE73B9FFBDCB7913BAF38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492272Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.787{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9845-619B-F209-000000000F02}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492271Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.787{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492270Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.787{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492269Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.787{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492268Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.787{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492267Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.787{CBEA6AB7-4F7F-619B-0500-000000000F02}412528C:\Windows\system32\csrss.exe{CBEA6AB7-9845-619B-F209-000000000F02}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492266Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.787{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9845-619B-F209-000000000F02}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492265Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.789{CBEA6AB7-9845-619B-F209-000000000F02}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018492264Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.303{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6114B343DD6700125EF393A9B2892B,SHA256=3F6CB4EA25A44A442DBA1E031C3B14FC40E777193F6F4767D33DA1C22F226B24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492263Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.172{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9845-619B-F109-000000000F02}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492262Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.172{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492261Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.172{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492260Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.172{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492259Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.172{CBEA6AB7-4F7F-619B-0500-000000000F02}412528C:\Windows\system32\csrss.exe{CBEA6AB7-9845-619B-F109-000000000F02}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492258Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.172{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492257Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.172{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9845-619B-F109-000000000F02}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492256Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:53.173{CBEA6AB7-9845-619B-F109-000000000F02}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253725Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:54.526{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFA5A6152DABDCB460F20BFAC9746DA,SHA256=3C8E3F179E37A14E24E228459853EFD58A9DC250384BA9E60831425AFA75FC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492279Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:54.318{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12F09A29618BFE795DE870BE6407F82,SHA256=AB64C8AAA11309BC0BFAE17648FE5458916F8005C4C6F5EDDF8B12D793941C35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253724Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:52.489{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53606-false10.0.1.12-8000- 354300x80000000000000001253723Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:51.051{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.67.65-61546-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000018492278Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:54.187{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDC2CE670E2DBD6C55DCA89FD24C10C9,SHA256=056AFB39DB49430CABFC9E684DE1AD33103E40E3B721E556206D70C6F06366ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492277Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:54.018{CBEA6AB7-9845-619B-F209-000000000F02}49488136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492276Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:54.018{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2B00-000000000F02}2968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492275Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:54.003{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2B00-000000000F02}2968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492274Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:54.003{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2B00-000000000F02}2968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492273Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:54.003{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2B00-000000000F02}2968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253726Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:55.541{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F026330850D888E450C48B606AF7B2,SHA256=75F4D6E5A63537A3C0B5CE2156A5F531FA065B797FE7D88044576A29F0964CD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492282Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:52.324{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60592-false10.0.1.12-8000- 23542300x800000000000000018492281Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:55.334{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBAAE7BEA4279CE0751B71BB56630C4,SHA256=45BC59264B30884C4F8DBF758B5CEA8D2CCE79608CA5B0557ADE76C4496B015E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492280Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:55.117{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253727Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:56.557{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564BAE89485D9AEEFFF97A469BD921CD,SHA256=4D94C05816585FE51DEF17528377110AF830447FA82095B0C7557BCC1493B53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492283Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:56.351{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C891338102B7A4C8C32AD131800CF0F,SHA256=2225A5458D7FB54294C586F39EB3C20A382347A6D36C04E0FC7011EAE0586690,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253728Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:57.573{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661838C5A8D44EF023AD456DBC123AB6,SHA256=972A23C6D2BA9B9B629958D3B34A8ECC0BEEE50D776D2155D810840941A7F464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492286Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:57.652{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE85A700FD4FA184DF0A7260C7E3D963,SHA256=CE4A31DAAE1481A01976E0E96A41BE6E45990B5DA87B2EED83E162AD9FDCA16D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492285Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:57.371{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5A551D2072A26F2C0DEF442AC33E9C,SHA256=329364FBD85979315A0AF62539DC0647C6DD2A7CD60980193864B9FD733231CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492284Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:57.071{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253729Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:58.588{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EBAF3B0A3EE2978F242E6E0BF151C9F,SHA256=B50AAC112ABB1299792C5BDDCB03F25E8B33F360A2A4AF2ACDAAD088869FDED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492289Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:54.872{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60593-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 354300x800000000000000018492288Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:54.872{CBEA6AB7-4F8F-619B-2700-000000000F02}2892C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60593-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 23542300x800000000000000018492287Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:58.385{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DC95D7A336BBDD1602EF6592906823,SHA256=2C3506D47702D47962BB26BF4529E8C9B5955F4788C2A45EB0265EA422581497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253730Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:59.619{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55766B245C284075847306A03BBB77EB,SHA256=E3B352F6819790567AECD833DBE65580BCDEF7B7930C05F45962F3FB7FE696E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492293Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:56.362{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-35400-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018492292Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:55.288{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60594-false10.0.1.12-8089- 23542300x800000000000000018492291Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:59.400{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E940DB048E4B4FA8A622228A784CE8FA,SHA256=AAB12FEC1CF65678ED72240CFEC620028CE27F3E40A0FB46DAA6CA8DC0DA847A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492290Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:59.300{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91C0966BD754F7EEC4B7E51CD63BB864,SHA256=652A436200737CA03708E231FCFAA9EBBA9186284C9E940F0E9824FB48BE7DA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253731Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:00.651{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16BF4018A2E3432AAA15B5CE04AF5F1,SHA256=DA76B47A09BCD801F41E32F4B951876B465C3578115C81587982F7DB28256C2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492296Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:57.469{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60595-false10.0.1.12-8000- 354300x800000000000000018492295Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:57.266{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse112.31.195.234-52734-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492294Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:00.401{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689AB922D9C8982ADE2539AD2751C52A,SHA256=4620DA5DFF1A70650F74B358CBC278D02CCD07D8184B66E6306A85F9A0CB4ECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253733Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:01.682{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A532F83014BB6143FFCF70186C72B6DB,SHA256=D7A28B572408A443D16CFE477DDF7CE363915197F264E14C3019FC36195C53B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492299Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:16:58.510{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-44944-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492298Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:01.432{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A98EC8460665CFD6E05249BC82BC70,SHA256=82E70DB62AC66E21F1287AC8C51DB43EA70DC0BB94F226A86A097599EA88CA60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253732Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:16:58.489{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53607-false10.0.1.12-8000- 23542300x800000000000000018492297Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:01.416{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E941ACFA497E5FB7155EABF15538C9DB,SHA256=83EF8E1E099CE4F7441A3FDBF1BA38E068E1D5F507F1C7169763F9FAAF09CD2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253734Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:02.713{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2329C10132E5102587383C1B0FDD9219,SHA256=E21D5D57AF8EBA54A1863984420FA800A4DABAD55203D46EF11547237FF5F2F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492300Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:02.432{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AA83A7F0A2E76964F30AE4A9941746,SHA256=9C5815D394909E2772471D3CD8F992901CD5C5F49A00FD543B896D2A9773AEED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253735Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:03.729{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB04ACF3FD4A34C96B1033DA9D940206,SHA256=1B3CA71FAA19ADD3BF73EABABA052191D9F8DB8992595722EE1F1A46398B90ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492301Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:03.449{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C217960C4B653BC811544A13E2A1FDF,SHA256=694C1C00565E7BA6F5FB125332F6B250157A161AE4B3EC83CE83F1A234E8B66B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253736Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:04.776{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D3FCEFD56BD96F755AADFE7FF85C3F,SHA256=4034E64CB453F907A514057B09188A140F2F6F2C5346FD7CB74A3D32BEF5B131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492302Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:04.469{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EAC7715307A0EC561892B6DCCCE007,SHA256=C86A7B9C96B85A64EC46B08633A4C9ED218D43A1384A12D11A21087C6B89023A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253737Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:05.807{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350C3C7B95054934D3CD2537E178081B,SHA256=B41A73346FFDED65A958E3D3B6FA5E95CE053550BA5F0F851FE144A657D5A4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492303Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:05.483{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694AB890B2A4B41C7BAD263BD193E5B8,SHA256=75C8E665C6C0C9E23E78A5DD01FC25E011C68C3663438BBC2D859CD17004019C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253738Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:06.823{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3E8AEB17BD1304881B95F19A6ED74A,SHA256=63489FC7C6520FE92D8E84449C14C0AE88D65E398ED5AB1B23C0151644D73271,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492330Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492329Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.882{CBEA6AB7-5528-619B-5E01-000000000F02}45041096C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492328Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.882{CBEA6AB7-5528-619B-5E01-000000000F02}45041096C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492327Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.882{CBEA6AB7-5528-619B-5E01-000000000F02}45041096C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492326Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.851{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492325Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.851{CBEA6AB7-5528-619B-5801-000000000F02}29004172C:\Windows\system32\taskhostw.exe{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492324Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.851{CBEA6AB7-5528-619B-5E01-000000000F02}4504328C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492323Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.851{CBEA6AB7-5528-619B-5E01-000000000F02}4504328C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492322Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.851{CBEA6AB7-5528-619B-5E01-000000000F02}4504328C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492321Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.851{CBEA6AB7-5528-619B-5E01-000000000F02}4504328C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492320Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.851{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492319Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.850{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492318Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.850{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492317Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.850{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492316Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.814{CBEA6AB7-4F82-619B-1600-000000000F02}13041840C:\Windows\system32\svchost.exe{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492315Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.814{CBEA6AB7-4F82-619B-1600-000000000F02}13041344C:\Windows\system32\svchost.exe{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492314Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.782{CBEA6AB7-4F82-619B-1300-000000000F02}4045768C:\Windows\System32\svchost.exe{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492313Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.782{CBEA6AB7-4F82-619B-1300-000000000F02}4041000C:\Windows\System32\svchost.exe{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492312Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.782{CBEA6AB7-4F82-619B-1300-000000000F02}4041000C:\Windows\System32\svchost.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492311Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.782{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492310Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.782{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492309Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.782{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492308Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.782{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492307Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.782{CBEA6AB7-5525-619B-4D01-000000000F02}12686108C:\Windows\system32\csrss.exe{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492306Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.782{CBEA6AB7-5528-619B-5E01-000000000F02}45044420C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492305Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.786{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe2.11Web Browser Password Viewer-NirSoft-"C:\Users\Administrator\Downloads\WebBrowserPassView.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{CBEA6AB7-5527-619B-F481-110000000000}0x1181f42HighMD5=F3D20449BAB41301AEFAD304CB02773B,SHA256=C41216EEE9756A1DCC546DF4FE97DEFC05513EED64CE6AC05F1501B50E6F96CC,IMPHASH=6CDE2F49ECF3CC2F14739BABAA8FD75F{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000018492304Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.498{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5689A0BDBF0C92CD804169B02BB728CD,SHA256=D98A463C6AC824B1706296224F3B32253C92E65431039E31B245505BC4C38957,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253742Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:07.838{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A747513117965FCB8F52A3F4EB8575B1,SHA256=E9B5EDE029771E6DEEDCF9044081748DB9A340949F362889AD5F70FEA82BAD48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492401Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.797{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492400Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.797{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2BD579F09C9866C12F42D95C559364F,SHA256=5E1BE7A0433BC09A2BDAC8E9B422AC40A36F8118D859758194A9F4A7B1AEE3C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492399Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.797{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51AD77B49529D560CFBBFEB659C58EC0,SHA256=8178E1B3DF1AE94D4873E0ECE1884F23599025D8465D75B822C9D998DC8D3FD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492398Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.766{CBEA6AB7-55E4-619B-9101-000000000F02}59884704C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+23d0188|C:\Program Files\Mozilla Firefox\xul.dll+22ae5e1|C:\Program Files\Mozilla Firefox\xul.dll+22a8f7a|C:\Program Files\Mozilla Firefox\xul.dll+2e48030|C:\Program Files\Mozilla Firefox\xul.dll+2e614fa|C:\Program Files\Mozilla Firefox\xul.dll+2e41379|C:\Program Files\Mozilla Firefox\xul.dll+2e41095|C:\Program Files\Mozilla Firefox\xul.dll+2e44d7b|C:\Program Files\Mozilla Firefox\xul.dll+2e5c7ed|C:\Program Files\Mozilla Firefox\xul.dll+2e688a8|C:\Program Files\Mozilla Firefox\xul.dll+2e67ca4|C:\Program Files\Mozilla Firefox\xul.dll+2e4bbd0|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000018492397Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.766{CBEA6AB7-55E4-619B-9101-000000000F02}59884704C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+23d0188|C:\Program Files\Mozilla Firefox\xul.dll+22ae5e1|C:\Program Files\Mozilla Firefox\xul.dll+22a8f7a|C:\Program Files\Mozilla Firefox\xul.dll+2e48030|C:\Program Files\Mozilla Firefox\xul.dll+2e614fa|C:\Program Files\Mozilla Firefox\xul.dll+2e41379|C:\Program Files\Mozilla Firefox\xul.dll+2e41095|C:\Program Files\Mozilla Firefox\xul.dll+2e44d7b|C:\Program Files\Mozilla Firefox\xul.dll+2e5c7ed|C:\Program Files\Mozilla Firefox\xul.dll+2e688a8|C:\Program Files\Mozilla Firefox\xul.dll+2e67ca4|C:\Program Files\Mozilla Firefox\xul.dll+2e4bbd0|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80 23542300x800000000000000018492396Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.682{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B86FB35C6841801DF6370E19A43359,SHA256=9C491C1EB4631485B67325D28051FE96C66EDC738407B782F25420BA4E46B679,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253741Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:04.724{068A336D-4F83-619B-0B00-000000001002}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53609-false10.0.1.14-49672- 354300x80000000000000001253740Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:04.458{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53608-false10.0.1.12-8000- 354300x80000000000000001253739Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:04.420{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-40026-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000018492395Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.067{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E270081516BB2174F559391EFB2986,SHA256=8FC83F88F2876B49F7F0B3FC6084D47567A17EA06585F072C72E2E9A26EECF46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492394Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492393Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492392Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492391Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492390Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492389Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492388Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492387Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492386Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492385Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492384Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492383Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492382Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492381Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492380Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492379Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492378Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492377Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492376Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492375Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492374Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492373Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492372Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492371Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492370Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492369Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492368Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492367Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492366Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492365Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492364Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:07.029{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 354300x800000000000000018492363Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:03.284{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60596-false10.0.1.12-8000- 10341000x800000000000000018492362Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-4F7F-619B-0B00-000000000F02}6327848C:\Windows\system32\lsass.exe{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492361Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-4F7F-619B-0B00-000000000F02}6327848C:\Windows\system32\lsass.exe{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492360Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492359Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492358Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492357Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492356Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492355Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492354Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492353Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492352Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492351Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492350Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492349Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492348Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492347Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492346Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492345Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492344Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492343Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492342Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492341Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492340Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492339Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492338Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492337Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492336Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492335Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492334Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492333Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492332Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492331Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:06.998{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 23542300x800000000000000018492403Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:08.696{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3D431E979E0A28DC0223A9BE33AB2F,SHA256=6C241C379A95E12489A7B3E18D5931C430662E62AD4FF1BF084EF32D6C47A592,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253743Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:08.870{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48609823DF5F0871801601309D2A5B6B,SHA256=54AF568E1D7D91C6728E32E6FAAAC484DC98AF4839F126F89F52131894E82547,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492402Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:03.717{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53609-false10.0.1.14win-dc-970.attackrange.local49672- 23542300x800000000000000018492405Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:09.711{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16922A821FB90F00F07A3751450A77D,SHA256=76AD06EC9FFF41A42C70B42598351FFE07FBBE15CA4C48D289E6EB1742ABFA9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253745Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:09.885{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E887D94F1F9AED374D1C9A739AF2FC07,SHA256=05EAED4DA7B730A71C2E6B7230FEA4F419886A4C00098BA09A2F1996D6950F97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492404Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:05.320{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-59810-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x80000000000000001253744Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:06.904{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-42022-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253746Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:10.916{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100A2C8F5C9DC731ACE2465F41B45702,SHA256=8EECE1108ECB0E207B4213CF7D9C4317DFC45049C64FF430E4926F4AE5AAE202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492406Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:10.725{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2025086D4184B6CFAB503ACFF377A298,SHA256=87494635AC1F9ABADF23C7DC8B0D6ECF002885BE8B8BD0D24197890DC94B729F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253747Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:11.951{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36E47C1E57493355A3E2BBAD7822A1D,SHA256=DA55E12247F777A6F48637EBC7DF2948191BA2D37707553C11E0A09A67BAC80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492407Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:11.737{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD89D7B8D5CFFF9BACA2EB0957657F12,SHA256=D80315BA3FD981387AA8EAE7E09A8CB37979272764DDD3552F454E888C9764C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253749Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:12.951{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE58933106BC7E54193C5E31CAFA6846,SHA256=5A4D96C94D60F2F25B893D03F1FC3D5CB5EA791C93464ECAB645EF7C3A110F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492409Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:12.744{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42106D5C3425756ECB5FDE87434651D6,SHA256=B731B85CCFD243296E668D8A2F19A5E8E8F4713AF2AA73A011EC9E750A293FB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253748Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:10.194{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-49848-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000018492408Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:08.363{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60597-false10.0.1.12-8000- 23542300x80000000000000001253752Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:13.967{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039F1467795655F7D824B98C65EE2F3F,SHA256=66F0677D52E35C3958F077D32F55F8D4C70C9D99C7241A08B4999FC708E63049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492410Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:13.760{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3BA629C98DF47FAF4914394388C7D9,SHA256=64CE06BBF63B8D65A4A1D9D32CDE5C4C9978116052A1E1E4C99D3786FB7B4167,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253751Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:11.129{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-51628-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253750Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:10.427{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53610-false10.0.1.12-8000- 23542300x80000000000000001253754Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:14.971{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECD2E734AC59FFDEFD5051B9BC721B8,SHA256=63683E1BD4646A696B8D516161719FB4BFF7CB0A622F52B5F6169566721A6D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492411Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:14.774{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45DC8CC8D4FA55924E93BF96DD19AF5,SHA256=6E55DE240E9952D031CD471263DB7905C424563DCB095AF3527777DA6C16D8F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253753Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:14.688{068A336D-4F85-619B-1D00-000000001002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\respondent-20211122080631-302MD5=2BDDF39925470B8EC963509AF6294792,SHA256=55F3B8F2085B1B773D0157DE95B74DA236A1C8442DB52BE5C71968FDD2B7F483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492412Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:15.821{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1154487B283507412B5A09B7427B97,SHA256=A2662A76950526BF631244E70488E5B93BD01F21A5D93AB0B2C772B721D6687D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253755Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:15.691{068A336D-4F85-619B-1D00-000000001002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\surveyor-20211122080629-303MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253757Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:14.360{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-33160-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253756Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:16.001{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268B4494441B31204152C6EE35A1D551,SHA256=969DF3A2F430A272A1814772FCC4BBDADEB00D08707602EC439970A68153191F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492413Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:16.841{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BC636881334AC3222D04267CB58F27,SHA256=C11E3DC0E4080BD8FC0D23335941A11827954987E003018AA929FA0347E4D831,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492478Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.857{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A805B3129287E0D65AD689C3FD4B7E6,SHA256=5E8293F658975E183075D1BCB8FB830037F1CCF7C5DF37F4397A5F29BBDBDE46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253759Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:15.448{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53611-false10.0.1.12-8000- 23542300x80000000000000001253758Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:17.019{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDC8F5B8212EF70D18195A100341701,SHA256=F3F4404A3D85AA8F6A2880C6E067CF31F1C9321FB12AB960BDA9C8D1941CE7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492477Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.438{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F248A42ECE514015B4D7EC14DCAAC1BC,SHA256=4B812DBE0B5C76704285E695658D6C6BE07650F032CB775D4C71E0019D0DD610,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492476Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492475Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492474Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492473Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492472Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492471Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492470Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492469Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492468Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492467Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492466Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492465Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492464Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492463Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492462Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492461Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492460Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492459Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492458Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492457Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492456Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492455Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492454Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492453Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492452Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492451Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492450Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492449Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492448Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492447Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492446Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.389{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492445Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E109-000000000F02}7492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492444Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-9800-619B-E009-000000000F02}5020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492443Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8EEF-619B-D008-000000000F02}1952C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492442Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492441Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492440Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7402-000000000F02}5520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492439Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C77-619B-7302-000000000F02}3232C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492438Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5C4C-619B-7102-000000000F02}6332C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492437Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-59D7-619B-1E02-000000000F02}6800C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492436Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492435Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-585C-619B-EF01-000000000F02}6308C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492434Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C901-000000000F02}6692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492433Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-573E-619B-C801-000000000F02}6676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492432Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5708-619B-C001-000000000F02}4712C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492431Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-56B1-619B-B801-000000000F02}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492430Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492429Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5600-619B-9E01-000000000F02}6060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492428Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492427Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492426Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E7-619B-9401-000000000F02}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492425Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9301-000000000F02}5316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492424Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492423Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492422Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7D01-000000000F02}5512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492421Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5557-619B-7C01-000000000F02}5504C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492420Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5535-619B-6301-000000000F02}4908C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492419Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-552A-619B-6101-000000000F02}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492418Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5529-619B-6001-000000000F02}4760C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492417Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5E01-000000000F02}4504C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492416Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5528-619B-5601-000000000F02}3980C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 10341000x800000000000000018492415Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.373{CBEA6AB7-9852-619B-F309-000000000F02}22287788C:\Users\Administrator\Downloads\WebBrowserPassView.exe{CBEA6AB7-5527-619B-5301-000000000F02}3868C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|C:\Users\Administrator\Downloads\WebBrowserPassView.exe+43c63 354300x800000000000000018492414Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:13.374{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60598-false10.0.1.12-8000- 23542300x800000000000000018492482Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:18.889{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45ABE1730C1C6B736837BE1DED55897,SHA256=C1625166620914DC9818AB21557E3D1B5BD9299BA13658364EBCFED44605D062,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253760Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:18.034{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C94F9400585BE355A8347A4F0AAD4F1,SHA256=8CA906B2A9FF38791B7799616F5228C6B638747FF71951A8F6EC693F3FCDB22D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492481Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:18.642{CBEA6AB7-5528-619B-5E01-000000000F02}45046572C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492480Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:18.642{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492479Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:18.642{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018492487Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:19.919{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4748E704D1B50EF1285813F2FF7D43,SHA256=C68F00C87DE52C06811CD7EA036A8D31B4735369E02AE915F64B3890A5EC2D6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253761Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:19.050{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4873C2C829EAFDBA1A5BC00C635673E7,SHA256=E07C75BE0D3F3B5673937627AE80A72C295877A41095981651898B9337FF5580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492486Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:19.836{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492485Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:19.688{CBEA6AB7-4F7F-619B-0B00-000000000F02}6322488C:\Windows\system32\lsass.exe{CBEA6AB7-4F61-619B-0100-000000000F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000018492484Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:19.138{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=020DD78D27A27A0B721153A817FD6D25,SHA256=943C93E0587BEC22385758B5681B428F83D9DCC654FBECDDC20D5CACDD775B10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492483Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:19.138{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2BD579F09C9866C12F42D95C559364F,SHA256=5E1BE7A0433BC09A2BDAC8E9B422AC40A36F8118D859758194A9F4A7B1AEE3C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492496Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:20.939{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8EBA17C6735364DF5C8C8352AC16DF,SHA256=4F80AF1D3DF31F4BD55867E15088D150EDE4188CE064F3860DCA711354B3E860,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253762Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:20.050{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DA7C76A4B373B88B6CC69C63FA779E,SHA256=4A484CB53BCD1E15BDE49C6024D68056C2F761CD00C518A2A1B72A83F03264B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492495Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:20.771{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x800000000000000018492494Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:20.755{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018492493Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:20.740{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492492Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:20.740{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492491Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:20.740{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492490Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:20.735{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 23542300x800000000000000018492489Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:20.587{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=020DD78D27A27A0B721153A817FD6D25,SHA256=943C93E0587BEC22385758B5681B428F83D9DCC654FBECDDC20D5CACDD775B10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018492488Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:16.239{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-55130-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492569Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.955{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CE40AD718D55314358A752E545DE38,SHA256=CF6C1912A41669870CD4E33102025B50674A3F6BD990B6E740D465D5A277E7FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253763Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:21.066{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EF04DD9D33C862C22A093C03646140,SHA256=E4DFDB5151DDFB6A3F9F7E8E993B0CAB03073C6503E64DF22B18768FBDAEB857,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492568Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.717{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492567Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.717{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492566Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.717{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492565Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.617{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492564Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.617{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492563Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.617{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5479|C:\Program Files\Mozilla Firefox\xul.dll+dc68ef|C:\Program Files\Mozilla Firefox\xul.dll+10eafb6|C:\Program Files\Mozilla Firefox\xul.dll+dc33ed|C:\Program Files\Mozilla Firefox\xul.dll+da81b0|C:\Program Files\Mozilla Firefox\xul.dll+1e87152|C:\Program Files\Mozilla Firefox\xul.dll+1971ffb|C:\Program Files\Mozilla Firefox\xul.dll+1974171|C:\Program Files\Mozilla Firefox\xul.dll+170b7e6|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1ae0eae|C:\Program Files\Mozilla Firefox\xul.dll+170884e|C:\Program Files\Mozilla Firefox\xul.dll+16b8275|UNKNOWN(0000023DE7B41E84) 23542300x800000000000000018492562Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.602{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F089F167500DF04DE5ADF53906D084B9,SHA256=AB8FE7D4457B5B7FB79102CF5152BB7C1C8168FAEE95BCC047784759B8B68BA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492561Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.437{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492560Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5337|C:\Program Files\Mozilla Firefox\xul.dll+7ee969|C:\Program Files\Mozilla Firefox\xul.dll+7e2b8a|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492559Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5337|C:\Program Files\Mozilla Firefox\xul.dll+7ee969|C:\Program Files\Mozilla Firefox\xul.dll+7e2b8a|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492558Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5337|C:\Program Files\Mozilla Firefox\xul.dll+7ee969|C:\Program Files\Mozilla Firefox\xul.dll+7e2b8a|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492557Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5337|C:\Program Files\Mozilla Firefox\xul.dll+7ee969|C:\Program Files\Mozilla Firefox\xul.dll+7e2b8a|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492556Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492555Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492554Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492553Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492552Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492551Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492550Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492549Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492548Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492547Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492546Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492545Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492544Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.418{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492543Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.402{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492542Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.402{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5479|C:\Program Files\Mozilla Firefox\xul.dll+dc68ef|C:\Program Files\Mozilla Firefox\xul.dll+10eafb6|C:\Program Files\Mozilla Firefox\xul.dll+dc33ed|C:\Program Files\Mozilla Firefox\xul.dll+da81b0|C:\Program Files\Mozilla Firefox\xul.dll+1e87152|C:\Program Files\Mozilla Firefox\xul.dll+1971ffb|C:\Program Files\Mozilla Firefox\xul.dll+1974171|C:\Program Files\Mozilla Firefox\xul.dll+170b7e6|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1ae0eae|C:\Program Files\Mozilla Firefox\xul.dll+170bc7a|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1cb9179|UNKNOWN(0000023DE7B47DE4) 10341000x800000000000000018492541Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.402{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492540Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.402{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492539Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.402{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492538Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.386{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492537Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.386{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492536Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.386{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5479|C:\Program Files\Mozilla Firefox\xul.dll+dc68ef|C:\Program Files\Mozilla Firefox\xul.dll+10eafb6|C:\Program Files\Mozilla Firefox\xul.dll+dc33ed|C:\Program Files\Mozilla Firefox\xul.dll+da81b0|C:\Program Files\Mozilla Firefox\xul.dll+1e87152|C:\Program Files\Mozilla Firefox\xul.dll+1971ffb|C:\Program Files\Mozilla Firefox\xul.dll+1974171|C:\Program Files\Mozilla Firefox\xul.dll+170b7e6|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1ae0eae|C:\Program Files\Mozilla Firefox\xul.dll+170bc7a|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1cb9179|UNKNOWN(0000023DE7B47DE4) 10341000x800000000000000018492535Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.355{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492534Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.286{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492533Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.170{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 354300x800000000000000018492532Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.929{CBEA6AB7-4F61-619B-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60601-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local445microsoft-ds 354300x800000000000000018492531Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.929{CBEA6AB7-4F61-619B-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60601-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local445microsoft-ds 354300x800000000000000018492530Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.821{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-970.attackrange.local60600-false10.0.1.14win-dc-970.attackrange.local389ldap 354300x800000000000000018492529Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.821{CBEA6AB7-4F82-619B-1600-000000000F02}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60600-false10.0.1.14win-dc-970.attackrange.local389ldap 354300x800000000000000018492528Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.812{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60599-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000018492527Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:17.812{CBEA6AB7-4F82-619B-1600-000000000F02}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60599-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 10341000x800000000000000018492526Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.155{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492525Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.155{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492524Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.155{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492523Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.155{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492522Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.139{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492521Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.139{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492520Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.139{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492519Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.136{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E7-619B-9501-000000000F02}2176C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5479|C:\Program Files\Mozilla Firefox\xul.dll+dc68ef|C:\Program Files\Mozilla Firefox\xul.dll+10eafb6|C:\Program Files\Mozilla Firefox\xul.dll+dc33ed|C:\Program Files\Mozilla Firefox\xul.dll+da81b0|C:\Program Files\Mozilla Firefox\xul.dll+1e87152|C:\Program Files\Mozilla Firefox\xul.dll+1971ffb|C:\Program Files\Mozilla Firefox\xul.dll+1974171|C:\Program Files\Mozilla Firefox\xul.dll+170b7e6|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1ae0eae|C:\Program Files\Mozilla Firefox\xul.dll+170bc7a|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1cb9179|UNKNOWN(0000023DE7B47DE4) 10341000x800000000000000018492518Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.135{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492517Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.135{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492516Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.135{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492515Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.117{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492514Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.117{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492513Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.117{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492512Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.117{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492511Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.117{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492510Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.117{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492509Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.117{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492508Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.117{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492507Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.117{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492506Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.117{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492505Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.117{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492504Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.117{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492503Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.102{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55F0-619B-9601-000000000F02}5356C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5479|C:\Program Files\Mozilla Firefox\xul.dll+dc68ef|C:\Program Files\Mozilla Firefox\xul.dll+10eafb6|C:\Program Files\Mozilla Firefox\xul.dll+dc33ed|C:\Program Files\Mozilla Firefox\xul.dll+da81b0|C:\Program Files\Mozilla Firefox\xul.dll+1e87152|C:\Program Files\Mozilla Firefox\xul.dll+1971ffb|C:\Program Files\Mozilla Firefox\xul.dll+1974171|C:\Program Files\Mozilla Firefox\xul.dll+170b7e6|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1ae0eae|C:\Program Files\Mozilla Firefox\xul.dll+170bc7a|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1ae0eae|C:\Program Files\Mozilla Firefox\xul.dll+170884e|C:\Program Files\Mozilla Firefox\xul.dll+17f9031|C:\Program Files\Mozilla Firefox\xul.dll+1a03190|C:\Program Files\Mozilla Firefox\xul.dll+19ff089 10341000x800000000000000018492502Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.086{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492501Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.086{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492500Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.086{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492499Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.086{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492498Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.086{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5479|C:\Program Files\Mozilla Firefox\xul.dll+dc68ef|C:\Program Files\Mozilla Firefox\xul.dll+10eafb6|C:\Program Files\Mozilla Firefox\xul.dll+dc33ed|C:\Program Files\Mozilla Firefox\xul.dll+da81b0|C:\Program Files\Mozilla Firefox\xul.dll+1e87152|C:\Program Files\Mozilla Firefox\xul.dll+1971ffb|C:\Program Files\Mozilla Firefox\xul.dll+1974171|C:\Program Files\Mozilla Firefox\xul.dll+170b7e6|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1ae0eae|C:\Program Files\Mozilla Firefox\xul.dll+170bc7a|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1ae0eae|C:\Program Files\Mozilla Firefox\xul.dll+170884e|C:\Program Files\Mozilla Firefox\xul.dll+17f9031|C:\Program Files\Mozilla Firefox\xul.dll+1a03190|C:\Program Files\Mozilla Firefox\xul.dll+19fe0c5 10341000x800000000000000018492497Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:21.071{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 23542300x800000000000000018492588Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.985{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78203B11AF045FFAA737FB0BEC9BAC9,SHA256=AE06D367E50321B03979FF60097546B6E31026A2AD3D6AC8D439206E37E2DA8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253764Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:22.081{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42940A88817AFBFD8E7C8EB70276AB62,SHA256=01FA3240BDF9E1A25A6A099DA153104D23FD01A386505F1372E6F51A3920AE74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492587Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.539{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018492586Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.539{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492585Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.539{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492584Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.539{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492583Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.539{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492582Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.539{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492581Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.539{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492580Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.539{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492579Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.539{CBEA6AB7-5528-619B-5E01-000000000F02}45046572C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492578Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.539{CBEA6AB7-55E4-619B-9101-000000000F02}59887708C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492577Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.539{CBEA6AB7-5528-619B-5E01-000000000F02}45046572C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492576Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.539{CBEA6AB7-5528-619B-5E01-000000000F02}45046572C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492575Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.538{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492574Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.538{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492573Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.538{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492572Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:22.538{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-9852-619B-F309-000000000F02}2228C:\Users\Administrator\Downloads\WebBrowserPassView.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018492571Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:18.440{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60602-false10.0.1.12-8000- 354300x800000000000000018492570Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:18.181{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-59020-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x80000000000000001253766Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:20.451{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53612-false10.0.1.12-8000- 23542300x80000000000000001253765Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:23.097{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF0ABC6985985EAA1734BBAB7000A57,SHA256=5BDE7E9B25C878B90FE88465509A4B2BAB16352F57FE95AB5F4B82D8A391FE21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492591Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:23.632{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5337|C:\Program Files\Mozilla Firefox\xul.dll+7ee969|C:\Program Files\Mozilla Firefox\xul.dll+7e2b8a|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492590Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:23.632{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-8A4D-619B-1808-000000000F02}6416C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5337|C:\Program Files\Mozilla Firefox\xul.dll+7ee969|C:\Program Files\Mozilla Firefox\xul.dll+7e2b8a|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018492589Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:23.571{CBEA6AB7-4F8F-619B-2E00-000000000F02}1156NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\respondent-20211122080641-302MD5=A1D0D577F42544DD772EFF490FF2796C,SHA256=BAF9C27C7C1429C61A9430176677A01FBBE9BC9408F59946D1FBAFE42606F366,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253767Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:24.113{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1487A7A25F0B6B8C29F10BD12315620,SHA256=0C2C1F91EB7FE3F5E42F9BFB28ABF69EDBA284151BB3262ED86BA46C0329144A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492593Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:24.585{CBEA6AB7-4F8F-619B-2E00-000000000F02}1156NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\surveyor-20211122080639-303MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492592Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:24.016{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C604DDEB17D01B3DCCEA22383CE407,SHA256=3889C587DA054000F940D734C8B41A30285E4D33740DE427C99F518DDC11FDB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253768Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:25.128{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471028A9D862445FDB9B8E46B9E6DD7E,SHA256=CBA96B2CD1716675FB07A8AEC4B795E0D73D4525705F7A3D43C86DC9ADBD5E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492594Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:25.034{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D70CDD5143508F3339C8424985C2C4,SHA256=5C67998C39620FE20594D5A12A96F66F08008B24190F5A0DA367C83C314F05B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492595Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:26.052{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15554643DEE954333145707ACBDF8750,SHA256=CECAE5066E453C704C1B8243DD29BD137CFCDCA15C70E51EA033401593E0AD06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253770Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:23.628{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-57010-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253769Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:26.159{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FE0CC3BA1B4027AE20F1B77A2C5ACB,SHA256=02F037E16601D41303FF60E45BC370614B4B920EF9C88800B69C0094F2863239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253771Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:27.175{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054C04C5EF6AE28D9358AD19143CDF7E,SHA256=CAF54429A1A0507FC1A89E9A515FE8954F02B390B958CC53C9743F120E87A901,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492599Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:24.202{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-38860-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492598Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:27.131{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C83DCEB5228A9368472BC895FA467175,SHA256=A85DFF5EA91D62ACC5290D5FFBC9A8AF0E3CB26EF04895606379737C600688D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492597Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:27.131{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DCEB99FB096203A0122942DC08E848E,SHA256=C165321C09A79013BB09C448B26346B31187284BD3C6C379BA0737759EAB5F36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492596Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:27.066{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791B38BEFAB3268884894F22A652E1AD,SHA256=2B896FDE893610A94ADA75F4B8A8FF01E739207FBD2A5B679F64D56D49299228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253774Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:26.451{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53613-false10.0.1.12-8000- 354300x80000000000000001253773Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:26.188{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-34130-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253772Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:28.191{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049966620CC0FE0A3F15373C4AA04E43,SHA256=2838A3E72972D0B4A86B9C41653BC8828E84EF3341EBD8365628BAB600E97840,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492610Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.834{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492609Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.834{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492608Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.834{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5479|C:\Program Files\Mozilla Firefox\xul.dll+dc68ef|C:\Program Files\Mozilla Firefox\xul.dll+10eafb6|C:\Program Files\Mozilla Firefox\xul.dll+dc33ed|C:\Program Files\Mozilla Firefox\xul.dll+da81b0|C:\Program Files\Mozilla Firefox\xul.dll+1e87152|C:\Program Files\Mozilla Firefox\xul.dll+1971ffb|C:\Program Files\Mozilla Firefox\xul.dll+1974171|C:\Program Files\Mozilla Firefox\xul.dll+170b7e6|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1ae0eae|C:\Program Files\Mozilla Firefox\xul.dll+170bc7a|C:\Program Files\Mozilla Firefox\xul.dll+1b3ab4a|C:\Program Files\Mozilla Firefox\xul.dll+16510e0|C:\Program Files\Mozilla Firefox\xul.dll+1cb9179|UNKNOWN(0000023DE7B47DE4) 354300x800000000000000018492607Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:24.351{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60603-false10.0.1.12-8000- 10341000x800000000000000018492606Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.265{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x800000000000000018492605Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.265{CBEA6AB7-5528-619B-5E01-000000000F02}45046572C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492604Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.265{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492603Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.265{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492602Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.249{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492601Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.249{CBEA6AB7-5528-619B-5E01-000000000F02}45044696C:\Windows\Explorer.EXE{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018492600Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.081{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84161646A15DC23C8739EE8698257DC,SHA256=9E65ADD7D40A8284B823F24197D799360F86CDA6B41CB4952F69642FAEC6DE21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253775Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:29.222{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BD90E8F8A4F51CE7375DB9C6A982B6,SHA256=16D1F2F37F9641584774BCA46F9E4607B12F235D02C2FC4A743BCB8612CEF7F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492622Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:29.996{CBEA6AB7-4F82-619B-1100-000000000F02}436NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3EB3321F8A5E5F9ED97DD65FCD40F30F,SHA256=EA6D426A57F2812AC62330AB2F15F8695A299911010FFEF579892585B464815F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492621Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:29.929{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492620Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:29.912{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492619Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:29.912{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018492618Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:29.896{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\cache2\doomed\16166MD5=629571835B020DC5833DD8F7DFB49A57,SHA256=103A85B5159B65E2969F9F3409FA4B0C224160A11416FF96562BB74E3C944FBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492617Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:29.829{CBEA6AB7-55E4-619B-9101-000000000F02}59886400C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492616Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:29.765{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b41436|C:\Program Files\Mozilla Firefox\xul.dll+39c5a0|C:\Program Files\Mozilla Firefox\xul.dll+39c1b9|C:\Program Files\Mozilla Firefox\xul.dll+39c068|C:\Program Files\Mozilla Firefox\xul.dll+b57680|C:\Program Files\Mozilla Firefox\xul.dll+b56ffd|C:\Program Files\Mozilla Firefox\xul.dll+b500b4|C:\Program Files\Mozilla Firefox\xul.dll+b554b8|C:\Program Files\Mozilla Firefox\xul.dll+b55c4b|C:\Program Files\Mozilla Firefox\xul.dll+38eb41|C:\Program Files\Mozilla Firefox\xul.dll+b56a29|C:\Program Files\Mozilla Firefox\xul.dll+b599e2|C:\Program Files\Mozilla Firefox\xul.dll+b56446|C:\Program Files\Mozilla Firefox\xul.dll+38e307|C:\Program Files\Mozilla Firefox\xul.dll+b358ef|C:\Program Files\Mozilla Firefox\xul.dll+1e9b50a 10341000x800000000000000018492615Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:29.734{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+add828|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492614Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:29.734{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+add828|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492613Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:29.728{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-5CF0-619B-8602-000000000F02}6668C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5337|C:\Program Files\Mozilla Firefox\xul.dll+7ee969|C:\Program Files\Mozilla Firefox\xul.dll+7e2b8a|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492612Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:29.712{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-55E6-619B-9201-000000000F02}4768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e88cbb|C:\Program Files\Mozilla Firefox\xul.dll+192a801 23542300x800000000000000018492611Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:29.096{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B7BB0A66BDA0D6929A8EEA9B43C9C1,SHA256=E1175C567206BA93872AFF1BDB4AC8DAC6524F82DDE731FED7A5D73FC6FF5014,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492624Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.112{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC141B6083971166B7574611BC62E43,SHA256=0241BC5EAFDD232E3D91341B44F14829A0373DCA83167C7D46B19E7D87EFB0AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253776Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:30.238{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D756FB77D87A1A46262F8812186C0AB,SHA256=85877DADC5DECEA38E37A5E51141F69B9EE8D9FF8346AD54ED524646924945EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492623Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.012{CBEA6AB7-55E4-619B-9101-000000000F02}59886036C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-5661-619B-A901-000000000F02}3332C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dc5337|C:\Program Files\Mozilla Firefox\xul.dll+7ee969|C:\Program Files\Mozilla Firefox\xul.dll+7e2b8a|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018492630Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.127{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60605-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x800000000000000018492629Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.116{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53327- 354300x800000000000000018492628Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:28.103{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local58672- 354300x800000000000000018492627Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:27.989{CBEA6AB7-55E4-619B-9101-000000000F02}5988C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60604-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 23542300x800000000000000018492626Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:31.429{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C83DCEB5228A9368472BC895FA467175,SHA256=A85DFF5EA91D62ACC5290D5FFBC9A8AF0E3CB26EF04895606379737C600688D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492625Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:31.129{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF37FEB1770A560920BE02233E45B57B,SHA256=D80BCAF37F7D56369F77702F56111FEED48B23FA62F5129309DAFBCA87DAAEA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253778Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:31.675{068A336D-4F84-619B-1200-000000001002}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=807E8AC836BCA0EF300B62F5911239A5,SHA256=C381C4E13571BD7CC5E66C8CB5BE5F6A17CCF35B36CBCDE30CD16E847EA4A500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253777Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:31.269{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37AFDBBDF588C925887505E9F9632F5,SHA256=671D81554C47172C3AEF93A6687D9610E44BFFE278D1CC5930240030EB4CDFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492631Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:32.148{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D337BC4DEA9F5B47382BF5BB2FEBF4,SHA256=F05D84300564D7F7507F60ECFFF3419C4F7623C3DD91A8D07348DA8F4F2E2B06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253779Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:32.300{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C9EB871DBF21B34DC863C1755943F7,SHA256=0BB39AE623393205665CDBC14458CC57EFEEC1821E17C28CB36D3F0B9DB578E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253780Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:33.316{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2B11423DA86884C088FB7E6EF6ECBC,SHA256=B9AE1D580E8FE1BC3157C6C2CFFD50FD46E84105B60F4F704EE9D45937F75B2E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000018492659Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.097{CBEA6AB7-55E4-619B-9101-000000000F02}5988app.any.run02606:4700:10::6816:304a;2606:4700:10::ac43:1459;2606:4700:10::6816:314a;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018492658Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.074{CBEA6AB7-55E4-619B-9101-000000000F02}5988stackoverflow.com0151.101.1.69;151.101.129.69;151.101.193.69;151.101.65.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018492657Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.074{CBEA6AB7-55E4-619B-9101-000000000F02}5988stackoverflow.com0::ffff:151.101.65.69;::ffff:151.101.1.69;::ffff:151.101.129.69;::ffff:151.101.193.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018492656Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.064{CBEA6AB7-55E4-619B-9101-000000000F02}5988e15317.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018492655Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.063{CBEA6AB7-55E4-619B-9101-000000000F02}5988e15317.a.akamaiedge.net0104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000018492654Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.062{CBEA6AB7-55E4-619B-9101-000000000F02}5988www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 www.amazon.de.edgekey.net;type: 5 e15317.a.akamaiedge.net;::ffff:104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000018492653Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.285{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60606-false10.0.1.12-8000- 354300x800000000000000018492652Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.142{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-51102-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000018492651Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.071{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57214- 354300x800000000000000018492650Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.071{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53164- 354300x800000000000000018492649Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.066{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59023- 354300x800000000000000018492648Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.064{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59152- 354300x800000000000000018492647Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.063{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local55019- 354300x800000000000000018492646Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.059{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51847- 354300x800000000000000018492645Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.059{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54360- 354300x800000000000000018492644Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.058{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57597- 354300x800000000000000018492643Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.058{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57263- 354300x800000000000000018492642Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.056{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53716- 354300x800000000000000018492641Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.055{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local56228- 354300x800000000000000018492640Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.055{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local54734- 354300x800000000000000018492639Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.054{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local51680- 354300x800000000000000018492638Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.052{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local65008- 354300x800000000000000018492637Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:30.052{CBEA6AB7-4F8F-619B-2900-000000000F02}2920C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local64948- 13241300x800000000000000018492636Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:17:33.278{CBEA6AB7-4F8F-619B-2C00-000000000F02}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\583610C9-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_583610C9-0000-0000-0000-100000000000.XML 13241300x800000000000000018492635Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:17:33.263{CBEA6AB7-4F8F-619B-2C00-000000000F02}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9D186EAE-3FAB-47AA-9E34-ADCAE99EEC51\Config SourceDWORD (0x00000001) 13241300x800000000000000018492634Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-22 13:17:33.263{CBEA6AB7-4F8F-619B-2C00-000000000F02}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9D186EAE-3FAB-47AA-9E34-ADCAE99EEC51\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9D186EAE-3FAB-47AA-9E34-ADCAE99EEC51.XML 23542300x800000000000000018492633Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:33.210{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9F2CBD27F6728A57356BE03C653FDD,SHA256=ABBC26BE2EC8F2A7B96822801AC5A3376E789F3D4992D2987E2E35FD6E4AF68E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492632Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:33.194{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFC7E62E35DDACF007535BA35346D99C,SHA256=F801873D5A7389B29DC1E8F578E87AFAF0BC9F60BC5EE83C8940603393594250,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018492667Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:31.527{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60609-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000018492666Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:31.527{CBEA6AB7-4F8F-619B-2C00-000000000F02}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60609-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000018492665Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:31.520{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60608-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000018492664Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:31.520{CBEA6AB7-4F8F-619B-2C00-000000000F02}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60608-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000018492663Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:31.501{CBEA6AB7-4F81-619B-0D00-000000000F02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60607-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local135epmap 354300x800000000000000018492662Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:31.501{CBEA6AB7-4F8F-619B-2C00-000000000F02}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60607-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local135epmap 23542300x800000000000000018492661Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:34.326{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBF7883A2F7554D140BE2B34AF5570AD,SHA256=5FBBCEC342030CD171F347CC5ED010564280B199B94CD2DCAB063C89F33409ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492660Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:34.231{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05742FFC984BA545F5B549C3851C2C68,SHA256=F1C17E4591EE117835CA03D326B62147302A6FD660A31D7B96CF7B1C15EE2DE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253781Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:34.331{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6092442BA222D0422BE496E3ABFC126A,SHA256=29DC3A8D19B0399733135C79A6C450CD0378913F01C1E30117733DD4BC4791B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492669Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:35.877{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=660C2A4332B34A4C919876800F5C2CA7,SHA256=6CC7D4385E92A29511C0ABBD4220848D86B711E5E81EB0C53A9108F8BC409112,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492668Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:35.246{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D23FFB475192F0F57E871AE0B355AF,SHA256=AD9EDE8771396C94C0B8EBE16081A13145B55EDD8A340723E7F0BC4E4E716EBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253784Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:33.187{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-43220-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253783Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:35.347{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3EBAA98429D87017B88FB2BF120A90,SHA256=4C3CA58DA4C1F2F2C36A875D593D4FCD3501D9E72012C56BCB79DB737AF00156,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253782Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:32.326{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53614-false10.0.1.12-8000- 23542300x800000000000000018492670Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:36.276{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6536F0C7F83F60EC62B235E952C1D547,SHA256=BB238C5220B52418869283BBB930A75740284A6F829B1CBDE930F7DD53614A29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253786Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:34.168{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-48558-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253785Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:36.362{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A710D604BBA5645AEE9F6A71D97A0F4E,SHA256=0819AC1F0D674C988E03249F2DAE8D63C8EAED72FAAB81C6BA33F8096567FA4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253787Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:37.378{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2D854E748A65D652DCBD7830121612,SHA256=0D1B61F6C60DBA45EE7F9096417D6F8116864F9E3CFB43395501A1B5DA99380D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492671Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:37.291{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3453B59693F6DAE0E8397EBB417CBB0A,SHA256=FC19A1CD98C648FA36A8A0C328DAFD9EA5E8F859643B15AC605E62DD1299610B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253788Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:38.394{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ECB9B698573F58BC91CCA3B687CBC2,SHA256=E6864DAB2D853907C9396D149F74829309B7BF698B51AFB19739FEE257B3BFD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492674Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:35.398{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-40482-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492673Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:38.306{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D890AB927E192BD1666EF5FF2B2E5AED,SHA256=2426B81DE0703033738125AD79E86FE3DFB2B4134B5B36A4B35AA760BDE13390,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492672Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:38.290{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12D8634C578BACD408DB9273092EE25F,SHA256=E6E3527EB9626F128F808A681C3E9A16E8B8080BCD09527834EAA1A3BB4C662F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253789Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:39.425{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF30831AC413585AFD2CC08460EF35C4,SHA256=22A54DCCCDD9C5C21AB500B19F3036F0D43279237A0E0BD1CD045A965277B280,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492676Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:36.312{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60610-false10.0.1.12-8000- 23542300x800000000000000018492675Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:39.323{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD82E2008F9FEFF29760F1160CA1E9D,SHA256=A482E45EBF710EFD331726FF908AA677BC8493081AEC1035D6D31F245C660F9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253817Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.972{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9874-619B-2209-000000001002}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253816Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.972{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253815Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.972{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253814Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.972{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253813Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.972{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253812Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.972{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253811Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.972{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253810Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.972{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253809Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.972{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253808Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.972{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253807Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.972{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-9874-619B-2209-000000001002}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253806Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.972{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9874-619B-2209-000000001002}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253805Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.973{068A336D-9874-619B-2209-000000001002}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001253804Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.472{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9874-619B-2109-000000001002}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253803Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.472{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253802Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.472{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253801Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.472{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253800Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.472{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253799Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.472{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253798Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.472{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253797Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.472{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253796Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.472{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253795Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.472{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253794Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.472{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-9874-619B-2109-000000001002}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253793Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.472{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9874-619B-2109-000000001002}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253792Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.473{068A336D-9874-619B-2109-000000001002}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253791Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:40.441{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89760EAC18F267234E3A89ED74B1EE5A,SHA256=87E96C3D6718E435E7EC6E0DC23681142B876E75767B37FFA4F739734C64C246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492677Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:40.341{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C8D1AD2FAA985D407138FC5CFA1CA3,SHA256=A072FA9E964072C0D436DE879E133CA4554192B75BB7267A9F439562BF51DA15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253790Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:37.373{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53615-false10.0.1.12-8000- 23542300x80000000000000001253832Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.722{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410E419D7F0DAA1F4E809B72D22EF250,SHA256=D9DDC8085D9E5105FC5AE1BD75BF7379CB4AC6DECD41E0DCA3CF62249CE00BA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001253831Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9875-619B-2309-000000001002}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253830Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253829Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253828Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253827Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253826Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253825Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253824Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253823Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253822Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253821Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-9875-619B-2309-000000001002}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253820Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9875-619B-2309-000000001002}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253819Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.644{068A336D-9875-619B-2309-000000001002}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018492678Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:41.356{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12E33F2A6CAC3BB629305642016D42E,SHA256=6AA673A9459AE03216DE505F39A514ECBFE72F3D04C6DCACEDC8D439EE369FB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253818Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.175{068A336D-9874-619B-2209-000000001002}29201556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253833Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:42.706{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B48C2A9F1F2A4113D72BD9C3083A38B,SHA256=E265C17C2EEE6CB0D62C1C3E4FF683A29A31DF99051F938FB38B0B351F9D60A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492681Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:39.331{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-43290-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492680Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:42.455{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=847C8D1EA31ADF174B937520ABFF864D,SHA256=1A052D812D0D98C327A9D65BD65FAA81BAD5C1B36741960CDB25375A7A4B3A63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492679Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:42.371{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9A6E50DE27E6FC54CD9A494F14B83D,SHA256=F5003DD4D7A6AFA961F035BC901A1C786750FC725252119A31499642B03D9ECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253834Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:43.722{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE44823583BE570A2F57845C57D4D1CD,SHA256=0EAB1867AACC4B51A9DAEEE0C210541C561F6336363D142210D5528F6D0D820D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492684Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:43.702{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492683Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:43.639{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=492A1099E040187082DEF37FAEB90332,SHA256=59BDBC1808BE7DDA8C0B22856079E7577D6DC1F461C9753B9B041054D59C46A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492682Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:43.402{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5E1BFAB811B613395EC85FC35AA1F8,SHA256=37896CA4D264A3FFDF2AA3D7490CA773011C6973785276BD56F27501735C5C4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018492686Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:40.748{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-42494-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492685Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:44.402{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA4DFDB64E07E307B6EF330F97F1DD3,SHA256=8CA760E0B81A1E819F17757C9154F49C074EDC51215E704327F8DEC21699A4C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253864Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.659{068A336D-9878-619B-2509-000000001002}34563888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253863Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.503{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9878-619B-2509-000000001002}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253862Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.503{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253861Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.503{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253860Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.503{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253859Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.503{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253858Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.503{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253857Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.503{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253856Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.503{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253855Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.503{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253854Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.503{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253853Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.503{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-9878-619B-2509-000000001002}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253852Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.503{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9878-619B-2509-000000001002}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253851Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.504{068A336D-9878-619B-2509-000000001002}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001253850Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.237{068A336D-9878-619B-2409-000000001002}2908640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001253849Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.181{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-60682-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253848Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:41.031{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-37760-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001253847Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.003{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9878-619B-2409-000000001002}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253846Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.003{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253845Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.003{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253844Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.003{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253843Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.003{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253842Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.003{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253841Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.003{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253840Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.003{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253839Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.003{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253838Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.003{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253837Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.003{068A336D-4F82-619B-0500-000000001002}416432C:\Windows\system32\csrss.exe{068A336D-9878-619B-2409-000000001002}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253836Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.003{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9878-619B-2409-000000001002}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253835Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.004{068A336D-9878-619B-2409-000000001002}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001253880Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.331{068A336D-9879-619B-2609-000000001002}19241444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001253879Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:42.373{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53616-false10.0.1.12-8000- 10341000x80000000000000001253878Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-9879-619B-2609-000000001002}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253877Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F82-619B-0500-000000001002}41692C:\Windows\system32\csrss.exe{068A336D-9879-619B-2609-000000001002}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253876Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253875Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253874Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253873Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253872Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253871Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-9879-619B-2609-000000001002}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253870Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253869Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253868Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253867Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253866Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.147{068A336D-9879-619B-2609-000000001002}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253865Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:45.144{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076AC3D71CF85A9BB1AEE1F11938D5E8,SHA256=EE645DC099C70947FA7BF990D0EABE412B5D4C005C509F0A7C6FFFBA88C4F598,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492688Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:42.307{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60611-false10.0.1.12-8000- 23542300x800000000000000018492687Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:45.406{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671926BD330190ED4F9A9F0B06829938,SHA256=79AA4A8941A241F7DC63DCE9704526D2675CC8CBEE38FAA7ED0BA9E9B79BB516,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253882Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:46.394{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A36F4B8F761D49C66AD72E7329554F,SHA256=150D8EBA81F7AFD711D716F2E252F118962424379AB940781552046C35E6E47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492689Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:46.407{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026AFF3B2DBFD0BF41288913223FDA7E,SHA256=FBAE393E3E15401E103BE7F4E954C224ED61292ACE719370F917BA6E98E291CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253881Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:44.171{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-42050-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253884Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:47.566{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3619CD8A14257ABAF10904FCC3078C4,SHA256=73B9086F37C975697E188AEBB4EECD278C29E469B1E3762383849416AC8BED75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492690Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:47.423{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0A72346F8BD9F9F0A7B76392B2C65F,SHA256=66E517DF3C2DB5B8CBD41D1236E1EC0142A4588904609D1F11E5FE3758AD2286,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253883Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:47.519{068A336D-4F85-619B-1F00-000000001002}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253898Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.644{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DD7CD1752C929C1FAF5CD8E621FC70,SHA256=3F894F7A1E039546C8165C784B1C7C4820B86714CE13D4CDAF4D843BC3A855DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492699Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:48.942{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-987C-619B-F409-000000000F02}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492698Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:48.942{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492697Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:48.942{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492696Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:48.942{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492695Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:48.942{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492694Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:48.942{CBEA6AB7-4F7F-619B-0500-000000000F02}4122932C:\Windows\system32\csrss.exe{CBEA6AB7-987C-619B-F409-000000000F02}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492693Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:48.942{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-987C-619B-F409-000000000F02}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492692Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:48.943{CBEA6AB7-987C-619B-F409-000000000F02}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018492691Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:48.442{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624B8B17A19551926BD1A2F4A385C229,SHA256=AA88B90A09F05AB55168AF597E0C878BEC20E8A0A395451BF073231D96A94E5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000001253897Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.159{068A336D-4F86-619B-2E00-000000001002}18482796C:\Windows\system32\conhost.exe{068A336D-987C-619B-2709-000000001002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253896Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.159{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253895Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.159{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253894Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.159{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253893Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.159{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253892Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.159{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253891Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.159{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253890Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.159{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253889Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.159{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253888Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.159{068A336D-4F83-619B-0C00-000000001002}7283108C:\Windows\system32\svchost.exe{068A336D-4F85-619B-1E00-000000001002}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253887Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.159{068A336D-4F82-619B-0500-000000001002}416532C:\Windows\system32\csrss.exe{068A336D-987C-619B-2709-000000001002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001253886Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.159{068A336D-4F85-619B-1F00-000000001002}19603904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-987C-619B-2709-000000001002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001253885Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.160{068A336D-987C-619B-2709-000000001002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-4F83-619B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253901Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:49.659{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEDBF110B94C04FF8DF25788841B04E,SHA256=F4499D54F7570820120A694997E03B3F916B6A036219A6A45CE02833A6BAAC91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492712Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:46.730{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-55644-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492711Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:49.673{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39A53E0E6EBB81788F37AAA9C5F49B0D,SHA256=628E400F4A95AC67D7278459189A6B09A7C1FE1EEA6A36BE7EB2F299F1B9488A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492710Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:49.673{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96B7A52034F69A741F76B21F4CF59C8F,SHA256=455CD0BEA487F74CF49E513B953B64C996FF4C5AA7F9B0EA9852664ACF61DB00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492709Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:49.557{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-987D-619B-F509-000000000F02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492708Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:49.557{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492707Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:49.557{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492706Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:49.557{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492705Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:49.557{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492704Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:49.557{CBEA6AB7-4F7F-619B-0500-000000000F02}412428C:\Windows\system32\csrss.exe{CBEA6AB7-987D-619B-F509-000000000F02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492703Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:49.557{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-987D-619B-F509-000000000F02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492702Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:49.558{CBEA6AB7-987D-619B-F509-000000000F02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018492701Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:49.473{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663CD88D253FB96DEFB3EA85834F815E,SHA256=DB19A020B37B96244F9F4FA6A5445976D4F023A4B527EC69DC4C7B6A2D3217F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253900Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:46.748{068A336D-4F85-619B-1F00-000000001002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53617-false10.0.1.12-8089- 354300x80000000000000001253899Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:46.214{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-48728-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x800000000000000018492700Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:49.157{CBEA6AB7-987C-619B-F409-000000000F02}61847556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001253904Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:50.691{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73654CE2EAC3956891B1420F07E881C,SHA256=E52C8214A0C9AD3D90CD9350091757B6B70ACFAEF5247B3459008270C3CD5C6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253903Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:48.195{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-52864-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253902Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:47.468{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53618-false10.0.1.12-8000- 23542300x800000000000000018492723Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:50.743{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\xulstore.jsonMD5=D310E52C296A680A9D5EB8ACA4098E39,SHA256=02647C8ECF9736F1BCEED9431CECAA2EA9CA858F0329D5C0B440EAD5804069A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492722Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:50.625{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\aborted-session-pingMD5=A1DE7501A99DF0F19427AD4CDBCD5F17,SHA256=D51DBFB49F06D487E8CE40388BE8262B50D8787A6FD320D1A236B74AB7C4BE35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492721Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:50.473{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097C1E687DD4634EECF5096E221FDCDF,SHA256=3CC1CAB0797CDF058909C38C0A6DB2F8C2DB842B5D8AD03F62A89326F2BA6785,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492720Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:50.242{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-987E-619B-F609-000000000F02}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492719Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:50.242{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492718Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:50.242{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492717Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:50.242{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492716Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:50.242{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492715Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:50.242{CBEA6AB7-4F7F-619B-0500-000000000F02}4122932C:\Windows\system32\csrss.exe{CBEA6AB7-987E-619B-F609-000000000F02}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492714Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:50.242{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-987E-619B-F609-000000000F02}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492713Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:50.243{CBEA6AB7-987E-619B-F609-000000000F02}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001253906Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:51.807{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F7FCB0CEFCB04160430B3C1D49466A,SHA256=004EF8A8C66DF006AE0A2941BB568080CC687B16462D695F9A82EC3115B082C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492733Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:51.943{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-987F-619B-F709-000000000F02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492732Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:51.943{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492731Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:51.943{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492730Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:51.943{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492729Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:51.943{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492728Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:51.943{CBEA6AB7-4F7F-619B-0500-000000000F02}412480C:\Windows\system32\csrss.exe{CBEA6AB7-987F-619B-F709-000000000F02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492727Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:51.943{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-987F-619B-F709-000000000F02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492726Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:51.944{CBEA6AB7-987F-619B-F709-000000000F02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018492725Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:51.475{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA91C2686981A813EF8BFF4CBA426F5,SHA256=52F4F828FAE62A9E6C2EC13BFD06183769D9438FCCA76F91CA59EA2B73A6A146,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253905Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:49.275{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-55400-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000018492724Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:51.244{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39A53E0E6EBB81788F37AAA9C5F49B0D,SHA256=628E400F4A95AC67D7278459189A6B09A7C1FE1EEA6A36BE7EB2F299F1B9488A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253907Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:52.854{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103819EA26FAF22CB523B0E06417281B,SHA256=D6C556627EBFCABE119C9B8BA11196461C73B32A85F4C7777992721889609F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492746Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:52.964{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E40539B7B484421840232F14208D97B2,SHA256=E4972DCC6E41AA334E8988F7471524031B100D0C75E0368C06A6F6632F630C83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492745Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:52.842{CBEA6AB7-9880-619B-F809-000000000F02}64085260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492744Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:52.605{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9880-619B-F809-000000000F02}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492743Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:52.605{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492742Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:52.605{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492741Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:52.605{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492740Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:52.605{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492739Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:52.605{CBEA6AB7-4F7F-619B-0500-000000000F02}412428C:\Windows\system32\csrss.exe{CBEA6AB7-9880-619B-F809-000000000F02}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492738Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:52.605{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9880-619B-F809-000000000F02}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492737Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:52.606{CBEA6AB7-9880-619B-F809-000000000F02}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018492736Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:52.490{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3653BE2B1519EC0EBFEFD38083DF03F,SHA256=7E47D87B07F94FAE7C7BD6E12D9042AA19F15C5402406D9E9CB7BE189EAAB8D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492735Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:52.127{CBEA6AB7-987F-619B-F709-000000000F02}76526768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018492734Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:48.310{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60612-false10.0.1.12-8000- 23542300x80000000000000001253908Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:53.854{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E48AAC0D16F3BDAF2594305D7317E7D,SHA256=CB2EB846D034B0C17DDB6EDBC23010378A716101CED05CAA09AE7A1CE57DCC24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018492766Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.963{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9881-619B-FA09-000000000F02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492765Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.963{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492764Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.963{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492763Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.963{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492762Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.963{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492761Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.963{CBEA6AB7-4F7F-619B-0500-000000000F02}412428C:\Windows\system32\csrss.exe{CBEA6AB7-9881-619B-FA09-000000000F02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492760Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.963{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9881-619B-FA09-000000000F02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492759Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.964{CBEA6AB7-9881-619B-FA09-000000000F02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018492758Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:50.664{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-39460-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492757Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.495{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7071CA1E7DBE98A712833D48581686A6,SHA256=9EBFEF1D0C0B3B3F78DB5682A954EC17667C883A1A27DB3CEF146C8C6C61CBD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492756Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.426{CBEA6AB7-9881-619B-F909-000000000F02}70927568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492755Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.280{CBEA6AB7-4F90-619B-3500-000000000F02}32403260C:\Windows\system32\conhost.exe{CBEA6AB7-9881-619B-F909-000000000F02}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492754Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.280{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492753Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.280{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492752Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.280{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492751Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.280{CBEA6AB7-4F81-619B-0C00-000000000F02}8326896C:\Windows\system32\svchost.exe{CBEA6AB7-4F8F-619B-2F00-000000000F02}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492750Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.280{CBEA6AB7-4F7F-619B-0500-000000000F02}412428C:\Windows\system32\csrss.exe{CBEA6AB7-9881-619B-F909-000000000F02}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018492749Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.280{CBEA6AB7-4F8F-619B-2D00-000000000F02}29962856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-9881-619B-F909-000000000F02}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492748Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.280{CBEA6AB7-9881-619B-F909-000000000F02}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-4F7F-619B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018492747Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:48.699{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-59856-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x80000000000000001253909Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:54.870{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F699DDC8610718F64775D591A0CBC432,SHA256=DD420774B6101D3A3C472F0698F0E83DF4844D395E30CBA8DCCBF8EDCC9BED48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492768Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:54.525{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CD59D1F503156BF5B5B4CC4B382D8D,SHA256=0FF94215C0C2F2A6BC5783179F965E23113C941B6FD2CAB3F6E191B8DB9482DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492767Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:54.294{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B360E415066A7C889DE0B461D443DE95,SHA256=B1ADDE50321F0E179C7367512390993A14177F7154FA7602B924EF71F08B8140,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253911Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:55.995{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF15E88851854F08EA5C5EF287D3CC61,SHA256=3CC960D4441013AE3B581EABE32E6FC6BF9862434ECA1B202CB0C6BD8FC0F9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492769Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:55.544{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F56199C6F3F60AC2D60A63FA46CFF8,SHA256=A27E9AEB9184F270B471C9F06411B1C97D33A30831490790AA9D68D735ABD96F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253910Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:52.489{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53619-false10.0.1.12-8000- 354300x800000000000000018492771Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:53.377{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60613-false10.0.1.12-8000- 23542300x800000000000000018492770Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:56.562{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E810438EF143C88869B9CA8A2BEC506C,SHA256=4E61B3361B8697D8E9D5712229E14F0F02417499AFE5BA7237CE5906DCE48BBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018492776Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:54.898{CBEA6AB7-4F7F-619B-0B00-000000000F02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60614-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 354300x800000000000000018492775Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:54.898{CBEA6AB7-4F8F-619B-2700-000000000F02}2892C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60614-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 23542300x800000000000000018492774Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:57.692{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0CC37A8E14E56323777DC8F79953BB9,SHA256=252D94CC6FFF1C9E1741ACCBC2BB2F13E816D6B620E06761B1DEF33C3F442A1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492773Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:57.577{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C3A1139516BA22BCAE65A4D286E911,SHA256=80F7444AE5D175C416E4D859ACD317288B777D2775942A5A3727418DF25A69F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253912Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:57.093{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900C986DB62F14139DE6537EC26252AB,SHA256=C4A9E64D5707E67B9DCEE118CF25DC53210EF4820D01CC75FCB2815B5D025ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492772Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:57.093{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018492778Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:55.313{CBEA6AB7-4F8F-619B-2D00-000000000F02}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60615-false10.0.1.12-8089- 23542300x800000000000000018492777Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:58.592{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F25ED25F4A69B4626F36A879A28334A,SHA256=F491064C32835698D8F96A0C4BD9B9540E9F68AA77505F07970C468346C96F8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253913Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:58.166{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5C33996695D4DF6F837540E472F7D8,SHA256=DCC5E053FF482AA3562B1CD69F9E150CB7C6B8B5F93B41A765654D00A867F6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492779Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:59.622{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97895F2CA5A5AD53E6894919BB23016E,SHA256=9D6DC920CC598FAC7D3C829CF2D95B472AFB59844D80091B60265455E25DBB1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253914Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:59.166{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D63F3B5A1019AD333600105DCCF53D,SHA256=C52E61598551984CA48639252C78094B15BF1A010B19D16050BF4713BC2E3FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492781Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:00.959{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=FD532DC0FDC108AE77CB8BBAE12A9D23,SHA256=E942C0142BB1F37A4DB4A4BE70746CDC0B7CA6CE64C651C650F85BFB09F554AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492780Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:00.659{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305B87BD8462BB03315C0AF154F62DB3,SHA256=C1E1B021226054BDF4101456AEEC2C89509FB14B0254F0EAD04EAF3363FE7C1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253915Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:00.229{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7DBAD16B533D78CBF61C1A0E5AF98E,SHA256=31929B0F869BD27B4EEB55891AC8268221D6338FA9561B4B1484B839F9AB42B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492783Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:01.690{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE658506F1FA1F2FDBAE04860037DDF,SHA256=A35048793E8C1D5C63AB8DFF56E1B66EDD601D0999C02F1EB2B7CE19753CDB8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253919Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:01.245{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9651FF2C75294FC2DE75F5100514FA7C,SHA256=741EB230C222DF35A0DEEF23188722A3AFDE47A63684290F0916EE065B0FE3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492782Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:01.321{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C154A373D3D1476EC54DFABDBE97300,SHA256=C9FBA4F3E904B6FBF1EF9161719E8BE2B90F7F48C47C426B3F033188D48367F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253918Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:58.301{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53620-false10.0.1.12-8000- 354300x80000000000000001253917Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:57.710{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-43554-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253916Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:17:57.676{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-43498-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000018492785Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:02.705{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2746D33FC0B3B6F16AC4763A16C7BC3,SHA256=BD7D595C654B7E4AD79D4B0EFBE79381917AAE9CE7806B197ACA4B54B8869867,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253920Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:02.448{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B4AEACEC1E07F49E6D679C9E11600A,SHA256=D431CB4D73CBD3123BFAD83100A206F56053F081DA04B9F635876D8B6B83F614,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492784Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:58.395{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-53250-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492787Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:03.719{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F91F5538BFBC1E97E603DA1D7A0D4B,SHA256=F5546D2630481589F1AE7D20A3913A917890D8571700456F2BD82C9EB7D0B046,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253921Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:03.463{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86ED7F66700013A7F13FEB1609DC8D7,SHA256=89BB8FA4F3AB2115DBB36CC5A792EC983ADB068C299C6F17A936064F40317F10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492786Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:17:59.357{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60616-false10.0.1.12-8000- 23542300x800000000000000018492788Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:04.739{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF9665506AEB9DA755A43EAB037517E,SHA256=DDB0CA531F0BA380BB12AC5E2675473239DC99567FC5D7339E0B88E795B414AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253923Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:04.495{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2BCBD144E21CC8EB7B58C16F40476E3,SHA256=26231E263DFCE53F517A07F87809C6F320B4F6690A168A29E725DF9DA0E892D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253922Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:01.033{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.39.68.202ns342796.ip-5-39-68.eu50497-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001253925Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:02.665{068A336D-4F84-619B-1000-000000001002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-51084-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001253924Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:05.510{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B5C36E6783E447F2E493C20A85E115,SHA256=544A3C7CB33D828C4D3AFF86C7A5FB8CF07C11C18C1FDE18A2EA8098A0718ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492789Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:05.755{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8A1133ED9309C3D8A4D7F9E8A25A31,SHA256=10E0AED11466089EBB7716EE5455B647F0CD379BEF115E1783CDDE5D688EF4F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000001253927Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:03.348{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53621-false10.0.1.12-8000- 23542300x80000000000000001253926Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:06.541{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485C4C7ED51196827803F1E24FFCDD44,SHA256=00C76329EEAB37737C49C88E9CA7A8CF6ACA3B2CC337C5F59909AE6BE5C8C822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492790Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:06.786{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC73E26E08D8E7F431F2546EE633C61,SHA256=03B1C50099AD55996D8B063925EF5D0AD5C763CF388DC9D13763D479569C43DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492794Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:07.816{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806CD8460115D89C349DDB8E954AF566,SHA256=2D41E2A3C6B6F4F6F8DBA83B0C6C0758FFCBF35BAB107A322EA6C700740E6B04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253928Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:07.557{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AFCFB511095F55D60249A4E77E3E41,SHA256=403DA9D730C6118251B4916D9879A9ABF304C66D9F4CE750FFC501578433DB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492793Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:07.801{CBEA6AB7-55E4-619B-9101-000000000F02}5988ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018492792Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:07.754{CBEA6AB7-55E4-619B-9101-000000000F02}59884704C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+23d0188|C:\Program Files\Mozilla Firefox\xul.dll+22ae5e1|C:\Program Files\Mozilla Firefox\xul.dll+22a8f7a|C:\Program Files\Mozilla Firefox\xul.dll+2e48030|C:\Program Files\Mozilla Firefox\xul.dll+2e614fa|C:\Program Files\Mozilla Firefox\xul.dll+2e41379|C:\Program Files\Mozilla Firefox\xul.dll+2e41095|C:\Program Files\Mozilla Firefox\xul.dll+2e44d7b|C:\Program Files\Mozilla Firefox\xul.dll+2e5c7ed|C:\Program Files\Mozilla Firefox\xul.dll+2e688a8|C:\Program Files\Mozilla Firefox\xul.dll+2e67ca4|C:\Program Files\Mozilla Firefox\xul.dll+2e4bbd0|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000018492791Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:07.754{CBEA6AB7-55E4-619B-9101-000000000F02}59884704C:\Program Files\Mozilla Firefox\firefox.exe{CBEA6AB7-58B2-619B-F701-000000000F02}7088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+23d0188|C:\Program Files\Mozilla Firefox\xul.dll+22ae5e1|C:\Program Files\Mozilla Firefox\xul.dll+22a8f7a|C:\Program Files\Mozilla Firefox\xul.dll+2e48030|C:\Program Files\Mozilla Firefox\xul.dll+2e614fa|C:\Program Files\Mozilla Firefox\xul.dll+2e41379|C:\Program Files\Mozilla Firefox\xul.dll+2e41095|C:\Program Files\Mozilla Firefox\xul.dll+2e44d7b|C:\Program Files\Mozilla Firefox\xul.dll+2e5c7ed|C:\Program Files\Mozilla Firefox\xul.dll+2e688a8|C:\Program Files\Mozilla Firefox\xul.dll+2e67ca4|C:\Program Files\Mozilla Firefox\xul.dll+2e4bbd0|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80 23542300x800000000000000018492795Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:08.833{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E3649129B26703564ABC52E7338116,SHA256=2437016F8A48F9DD025E332720AE09E0335871A19D8771B0CEE54A5D8E296C72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253929Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:08.573{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342BF5354C3D00E5DC93279A3F50E33D,SHA256=8BEC23CDF48CAA6DB6C79CA17FF20347B07EA0D0F02136A52BF15F1D96D83BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492799Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:09.899{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38C4D83EAE1DBD4BF94CC6C7666CA9BA,SHA256=A951FB96D1CA7F2062F9FD24901200A56ED2CC237E7F5737F61992E0E7F460F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492798Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:09.899{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ABDDF971AA5314E0BCE3C30EA26737E,SHA256=75BFC5C43A95F2C487B9CF9A61FBE4CB923E6B3C0E6844FB6FB2C678108A83AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492797Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:09.852{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E3C1159D74BDCEFBB073069233D349,SHA256=C5401A920D420FC67B0838F054CF274CB801E0E8269DD42A28ABC774E7F4F83E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253930Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:09.588{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC3F146E009030975CECD00D5925422,SHA256=CB69EFE11FD7A9345CDCE74B4679C67FB0D7DEB3AE6F1053A9827C833F57E3AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492796Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:05.337{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60617-false10.0.1.12-8000- 23542300x80000000000000001253931Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:10.604{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DBE778C1F5D433EB892BA7E235F7E8,SHA256=531C5FB77363BA80142C60938980289EDC53D98616720A73EEA493747EA6D2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492801Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:10.867{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53F5CE2EB4B2722233183B7CB33C7BE,SHA256=1E8E85AE4734F8D43682885056C2DB6B8AE8982CF6408EFFCFA9BB1AABAAD472,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018492800Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:06.882{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-43424-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492802Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:11.882{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6C422AF985A8B31C841C7CFA2083B29,SHA256=C33D871FE091A450DFE6004B2F3E2D598D438FE02CD3CF23A406AC83A4B8512B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253932Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:11.620{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71CFA8AC917CF629637951BF946C2A02,SHA256=B34E8508890D550A29637BF3432161C8EA1EBE1CA861CA04D98646BA7DAA8D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492803Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:12.898{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B3CF94E8123FAEA0E56E5B216206DA,SHA256=4BED6F7B753457C0D02F037DB58F1F8762FA805A080A4CAFD87625AEC84C0844,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253934Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:12.637{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE629B946C3ADFDC6876769A912ED45,SHA256=71BEA804AFBFF6F0956BFB343F871779E4F0E67FC26BBF4C280675C74BF1E1F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253933Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:09.348{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53622-false10.0.1.12-8000- 23542300x800000000000000018492804Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:13.900{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90375F66AAA5CBF98DB61F9053FE495A,SHA256=394DBA38D088A7E656BF3A0382F088808F1D864A4850D8534649F17AD3DC6256,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253935Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:13.652{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47915489DF954BAA5F15E75A5F4B97B2,SHA256=8CA29F325290089B7C6019C338D310CDFBF6B812D8D8B911FF809F2B9A3B533D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492806Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:14.967{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5004390A341EE65B9EE5822C4995167B,SHA256=2936B7ADD5E73E844C8DD79B4F50C45A2EE65824C4B909CC4E6C6A5082CFBDCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253936Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:14.683{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59502AC84EB5FE54C87F0E6B426779E,SHA256=1CBE30C210C90885D5ED0801F7197733B98B173EA5E457F060F341A796089B0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492805Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:10.449{CBEA6AB7-4F9A-619B-6E00-000000000F02}3196C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60618-false10.0.1.12-8000- 23542300x800000000000000018492809Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:15.982{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08AF4BC72DB36EBE5E5802B7A4B61B87,SHA256=1027A8B41CE388E524B070930F782D6EB5DCED4F2B458FF36FFF15559F678239,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253937Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:15.717{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9769E281745854FE907B69A2716B843,SHA256=E39C977EE12E04C4B92B19B0DD9F096651CC634A1019EFFF060D7C35822A7769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492808Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:15.533{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F9699958733FDA184BCFC242DB9F05C,SHA256=951E539B2F6D45D273688E064E87AE8A56A6E7805507A8F682A1A9CA6198405A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492807Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:15.532{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38C4D83EAE1DBD4BF94CC6C7666CA9BA,SHA256=A951FB96D1CA7F2062F9FD24901200A56ED2CC237E7F5737F61992E0E7F460F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018492811Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:16.982{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2BC997CFA435220D534CB1EAEA680C,SHA256=5DF779D9C3D3B7994B3EA0C6692E2CB75507BD90E0A319D740C60C51338D63C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253939Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:16.732{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D2D4271063E41F2C5F910F69B36096,SHA256=C922D741313F2278EABB49C99BF06CC8279557E87C9D8F401A9CB7EB15DF3271,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018492810Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:12.618{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-57586-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x80000000000000001253938Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:16.219{068A336D-4F85-619B-1D00-000000001002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\respondent-20211122080631-303MD5=2BDDF39925470B8EC963509AF6294792,SHA256=55F3B8F2085B1B773D0157DE95B74DA236A1C8442DB52BE5C71968FDD2B7F483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018492812Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:17.997{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F59C74E088C02B65B4948F65E4E99A2,SHA256=98151BA416A99B589EF4F41515B8A399B0CA2C0D280A9AB75B88E763E9478946,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000001253942Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:17.781{068A336D-4F98-619B-7300-000000001002}3124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A2AF8E019E08D7853C3E762CEC604B,SHA256=B4457A9D0C5F079958C896769264A0427889119F28116ED7EC9612C8A6192EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001253941Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:17.233{068A336D-4F85-619B-1D00-000000001002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\surveyor-20211122080629-304MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001253940Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-22 13:18:15.306{068A336D-4F90-619B-6A00-000000001002}3160C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local53623-false10.0.1.12-8000- 354300x800000000000000018492814Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:13.819{CBEA6AB7-4F82-619B-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse112.31.195.234-56725-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000018492813Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-22 13:18:17.997{CBEA6AB7-4FA1-619B-7700-000000000F02}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F9699958733FDA184BCFC242DB9F05C,SHA256=951E539B2F6D45D273688E064E87AE8A56A6E7805507A8F682A1A9CA6198405A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space