354300x8000000000000000368908Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:27.117{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368907Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5039D4E2C771FB9FD505B4FA6048D597,SHA256=CE07AF810F0487D85F89C110723B257D955959A36D0358A12529E40735E583FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322729Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:29.366{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C1A084B9533AB76854B2C19E9EEC2D18,SHA256=BE1B419DBCAE528895AC3BB74F96BA229F4BC481D4886C405CB80BDE84C63312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322728Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:29.163{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1DF97A9F9BD0C436F6433EB59DDD2D,SHA256=14E8F143FB55FE2E2B53E3AEA8595ED80590F0300813F2985ED8AB1B51AE28AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368906Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.341{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3FDAC629F6322DF57EF5BC56BF3660D,SHA256=0524777DE2B1C26A546A2F1BA1A8DE125A282F2310A221D760C09CCC413952BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368905Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.278{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=20853A8A08CAC51A6D9FB86A880FF399,SHA256=AEDD8F41A35D4D82421B89CACC1277CE0215B89A981A17BBB185B10BF7BD6318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368904Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.278{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=008FA337F9BCA10B61E8BF8FABC392CF,SHA256=AE9E53BB18A6DE747618BBE1C20C41709DBA26727FC071F8D2195AE2CC5B335F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368903Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.263{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7334A6AFBF3D8B7154DFC3854EC1CA5,SHA256=5CD5B8619C0E1736E941AB4FA43D0D369120B3DBDA326662B1E8787D5183B26D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000368902Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PubSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplication\0000ecb9837aa96085e95a514805c6e0a2b900000904\PublisherAmazon Web Services 13241300x8000000000000000368901Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-VerSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\BinProductVersion8.2.9.8 13241300x8000000000000000368900Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-CompileTimeClaimSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\LinkDate07/08/2020 18:42:42 13241300x8000000000000000368899Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PubSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\Publisheramazon inc. 13241300x8000000000000000368898Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PathSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvif\xenvif.sys 13241300x8000000000000000368897Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-VerSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\BinProductVersion8.4.0.11 13241300x8000000000000000368896Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-CompileTimeClaimSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\LinkDate01/12/2021 17:17:37 13241300x8000000000000000368895Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PubSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\Publisheramazon inc. 13241300x8000000000000000368894Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PathSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\xenvbd.sys 13241300x8000000000000000368893Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-VerSetValue2021-11-25 09:59:28.856{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\BinProductVersion8.2.5.32 13241300x8000000000000000368892Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-CompileTimeClaimSetValue2021-11-25 09:59:28.856{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\LinkDate11/19/2018 22:01:56 354300x8000000000000000368911Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:27.551{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-20145-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368910Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:30.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F15935D69D603A55F69FA49596977A,SHA256=3BD76148574527D5FB61A37EEB9BAAFC0F8B9318BEA8B2732F749FA9E4B47158,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322732Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:27.665{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49929-false10.0.1.12-8000- 23542300x8000000000000000322731Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:30.178{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682AC454E1537D7C383DAF5B12A18824,SHA256=C88B9000C887737B3E98C4FF11CFE84D47B69C094215CE9D58EBBF30475949E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368909Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:30.497{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33BB72833818508BC9622E1CAA1ED557,SHA256=9FDF15D0B6D0E47D7E7EE7E108459EB4FB39AF8919B8BBE053F5BDC8F3774B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322730Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:30.163{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368912Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:31.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BAD60EE1B67E00E56F88292594130D,SHA256=76564F9EFAE3C5E9A69CD500269BC74606A591963F16CF9B6E7FF086C046B5B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322735Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:31.741{99D2EDAA-5AC0-619F-0D00-000000001002}7763272C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-0C00-000000001002}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322734Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:31.741{99D2EDAA-5AC0-619F-0D00-000000001002}7763272C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-0F00-000000001002}920C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322733Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:31.225{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8475239B6CAA446AC649EBF8E355DF2,SHA256=48223B627B5C862D55503E7F6E0F51C2BCD0A40AB01B104995FDD58E81427E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368915Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:32.778{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FB51D6198A19A39ABA37847EAED073F,SHA256=F18C9968FA698E29D6A088C9EC9606293C498BBDAEBDD6E48FBF2E4CAE4F1242,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368914Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.823{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-27602-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368913Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:32.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7DA47D2E0DC53DAEEAF134F4D8945C,SHA256=66F07A1BA1EDB747205B4400F622D87DB2BF0C7834D23989A1EE405FBFFBDE76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322737Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:29.696{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49930-false10.0.1.12-8089- 23542300x8000000000000000322736Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:32.241{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B690C9CDFF42C352002C3EFD12DF0E,SHA256=84851CBC15334004488C6014110177BAA41A90F1FD5804FB88C6C290F79BCBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368916Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:33.656{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E963A4ADC880667655EE588F046B368,SHA256=340CA3FE39680A99DE09D0B7FF92174DF5B5ADDFACF5A299572413215F5D3CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322738Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:33.256{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFB33C68642802FDEF8C28607A213F0,SHA256=D70355E57870C17CB618D4B1E62CB7A2F7784510C42B42C70D786CF08113BB5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368919Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:32.161{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-35163-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368918Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:34.669{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF802633B4A9E8C725F0D00D2A18900,SHA256=FF70B92CC0955256EC93BCD59BDCF4F22C6F937F242AF83560A193EE886EBD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322739Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:34.288{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8700C5A527A92C587C0C4DA60A476D,SHA256=AA40FA89FB10D5FB6E994AAFBE7CF6ECD7A7541DB806D966D9D514B147581877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368917Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:34.372{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=37501820DF7F1497AC6713FD1DF49098,SHA256=80312B321886C1B239575BFFBD41CCEBAAB1578330DEC87769AC6838422486EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368922Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:33.084{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58821-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368921Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:35.669{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D9A9CC6E3ED5A69BA2010F1EB80218,SHA256=2012EA84B9F4A4291BED8D505362DC019C26CF002EED4BE0C3F4BCC698F222FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322740Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:35.303{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71541D406386EB4ABF5C3820C3F6765F,SHA256=13CDA3E014D1A468BCDD5BAA24FF4A0CDF11FB9437BA06CAA7223222F75ED1B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368920Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:35.200{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7674557C1536FA4CE58065962FE181A9,SHA256=05BBAE8964AB163C073731171173696CE15D54E2C15FBC17A738625B180B2CD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368924Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:34.468{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-43626-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368923Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:36.669{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E919B31C7A1001D179743431D7FB40CE,SHA256=B5FF2A45C11BE9F2C5F03B414B2B77BC449891E3ABAD546FF4BD367437FBECB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322742Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:33.649{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49931-false10.0.1.12-8000- 23542300x8000000000000000322741Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:36.366{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68AC28B998FC0F87796B413234D8417F,SHA256=07DC81CE11AC4D7CEE52003E6C31CC41561A6EB07F42ED4A25AC1DEDA9C792B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368926Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:37.716{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC78F8FEB31AA651529D4190CFC80487,SHA256=920C16D998967367229ECC73274CC2D93BE5CC90BEF4B5823BF9FE4D6258C27B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368925Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:37.677{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9285154A4FBEFCBE350BD6BB548E744,SHA256=DFE4B6318CFBA655B642A1436FF5825E8A749830434948AF7B78C1C23491C74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322743Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:37.366{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79164F28C2B322DDD6347EDD99288658,SHA256=724976137EDA3CBF3BEB218500390AF22F4EDDD6A8C3D4713CDDE1EDB578B22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368927Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:38.685{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92E8D06DCB5B9ED756728639E3B47CC,SHA256=3F87A7D983F38D21466F1904D872D3F0DEE935FD914F3EBC6565570C213AEA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322744Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:38.366{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6893CA2DB988C8F3D9D419ADA323A4AE,SHA256=C5C0BA5E848292CE02205F352EC2FF5155FA316941802275F3565ED67A8BFA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368936Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.874{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A972AC2510EB9E41247FCD73D9321C7A,SHA256=75ED45B36A50EDA2FF48DA7AA5D9DAD99AF2BD4161F616E0D521688A27BFD582,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000368935Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368934Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368933Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368932Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368931Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368930Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368929Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000368928Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.686{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825DB2A5047770AFC50BDF35C59AF09D,SHA256=E2AD3D2A72F6BFC5E14663C289A7F15CF9B44DEA67F0087AF7EA0C3DDBB8067A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000322746Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:39.477{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x29240dfb) 23542300x8000000000000000322745Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:39.367{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDC1FDBC26200FD43DF86A8E9EA20DE,SHA256=46967631AAF39F5311907AC8979CA72D9BABED181815BBEAAB9DB74E4063FAF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368939Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:38.303{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58822-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000368938Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:37.051{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-52652-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368937Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:40.686{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3101E1F0EEF92C93E8CDEF62C2DE09E,SHA256=C33B5D54BF8530FB3D9F218516530B181062A396DD8603D0BBCD764F1BB5C70C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000322758Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000322757Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000f892c) 13241300x8000000000000000322756Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1da-0xc7e49241) 13241300x8000000000000000322755Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0x29a8fa41) 13241300x8000000000000000322754Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1eb-0x8b6d6241) 13241300x8000000000000000322753Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000322752Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000f892c) 13241300x8000000000000000322751Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1da-0xc7e49241) 13241300x8000000000000000322750Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0x29a8fa41) 13241300x8000000000000000322749Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1eb-0x8b6d6241) 354300x8000000000000000322748Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:38.681{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49932-false10.0.1.12-8000- 23542300x8000000000000000322747Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:40.383{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C26C728E6584B013FE0CE2190EDCBA,SHA256=14DDF17E3D8F14FB61C3D844190989BC3D1EEF9642586F8E140204EAF4B5EABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368941Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.154{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-1277-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368940Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:41.686{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99DDAE1ADFC2ABF98D43C9E8076E3513,SHA256=CBC230C58AFB80EA49EF7989B657EFEE40897F0B7CB713787AE795B74BE2D929,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322760Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:39.009{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-61.attackrange.local123ntpfalse40.119.148.38-123ntp 23542300x8000000000000000322759Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:41.399{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2245EABAFA6FD43D12CA40D4B3CBE016,SHA256=74C7DF0754C4829AE7D6785566D153F11FBBF4CC9913D95220BEF596D488F9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368943Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:42.686{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167FEA172E30573DD8DEFA5FB1B4BBA2,SHA256=A45B0F4003A6BEE9DFF3EAC47CA5DA27185FF8FF01EFD2A899C171445CFF074F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322761Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:42.399{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50032ADDB1143B44A2B081DD5DC6F9FA,SHA256=5F981CFFCBE156E08ED8EAFAB074FB231495624505532A185051C73FEFD028F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368942Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:42.436{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2970C5E2288821242297E98D3B9B006A,SHA256=CCE247C87118385183C1B713A0941BDE1AA2964225DEAED7A9037723D241EFA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368944Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:43.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4ED64C02A2A5BAB3ADB9CAD163D992,SHA256=E23AA608B7E4C182B0CBE34DFB5E3238A0D9AEE0405A07097F7DA2F36F16DAD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322775Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E8F-619F-0501-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322774Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322773Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322772Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322771Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322770Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322769Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322768Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322767Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322766Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322765Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5E8F-619F-0501-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322764Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E8F-619F-0501-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322763Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.868{99D2EDAA-5E8F-619F-0501-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322762Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.399{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2919B5016E3F1EDE1E647EC94308D0,SHA256=1461EEB007AEEAF3E9E0520E091F449DAA862C2FD23D83964A5BF6B721E3697F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368946Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:42.167{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-10129-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368945Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:44.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2410C7A07E5670D983D3437D880CEE60,SHA256=EEDEA6A20A16775F5A8168BEC48A28417AD8CA038635669F5AFFE4DBF5ACBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322776Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:44.430{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CAF63BDF332EFDD0DEE4D73894E7A9,SHA256=98D43C5D00F726AB4F529D9BDF0EF05166F73C4CD7567DA596BBDB114D03B6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368948Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:45.718{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C26721EC2E314138E6A6BB0B160558F,SHA256=1039BA84BB92362C50F5428479DECDC21A5C4415C7FAFF4D3E2BE86C80C62771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322793Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.477{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C89545C214DC821EF99582218EEF8E4,SHA256=0EFA0A8157AB17AE4EDF5AE9CCAE2A5C247A46707080A712C9462876C3895F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368947Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:45.343{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8194C7E70C2F58F4D2589A7BCF91C567,SHA256=DA6EF15962860C92C86F87E29D98FD8223382588075B537D15556288B553ADA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322792Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.305{99D2EDAA-5E91-619F-0601-000000001002}33282572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322791Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E91-619F-0601-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322790Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322789Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322788Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322787Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322786Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322785Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322784Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322783Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322782Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322781Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5E91-619F-0601-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322780Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E91-619F-0601-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322779Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5E91-619F-0601-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322778Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.071{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86BAABEDC107E17288D4FBCE19B6A328,SHA256=4D30C3FC37B3E2DF3EB98FD120D1E461F7D51997E63E73EFCEC792C6A66F2AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322777Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.071{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6137B7189057A3B97ECB074DF5BA24A0,SHA256=572E69844FB84E39560AF1B440CFC029BADF46D378DD2CC6E03B55F7C3F1B777,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368950Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:44.181{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368949Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:46.811{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33135FDF420BBBEA3739FA7884068952,SHA256=B62E4AF28AE0D49D469744575D6D558D980C1774DCF583077BA35E7A3D42D2CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322809Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.760{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49933-false10.0.1.12-8000- 23542300x8000000000000000322808Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.492{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4849F5CF17BAF41092D192EABF4ACE9F,SHA256=5CDBEE69B41C8145866E34F092C7A63B962D8DFFED652B1C285D0EA61EA81A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322807Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.180{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86BAABEDC107E17288D4FBCE19B6A328,SHA256=4D30C3FC37B3E2DF3EB98FD120D1E461F7D51997E63E73EFCEC792C6A66F2AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322806Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E92-619F-0701-000000001002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322805Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322804Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322803Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322802Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322801Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322800Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322799Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322798Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322797Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322796Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5E92-619F-0701-000000001002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322795Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E92-619F-0701-000000001002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322794Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5E92-619F-0701-000000001002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000368953Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:44.646{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-17920-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368952Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:47.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F1D2CCE66604F287C35FB9BB07EDED,SHA256=F9EF224FE51A23C73065109C7C335D73CFFC8F0031B3F7B2375BCF98BC1F0ADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322824Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.868{99D2EDAA-5E93-619F-0801-000000001002}6843132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322823Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E93-619F-0801-000000001002}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322822Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322821Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322820Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322819Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322818Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322817Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322816Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322815Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322814Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5E93-619F-0801-000000001002}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322813Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322812Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E93-619F-0801-000000001002}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322811Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5E93-619F-0801-000000001002}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322810Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.492{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2E07E439274CC7AA53EE38A0742431,SHA256=9AF67D90070EA4E16C3D572D33A5C26C7940D6625331EB426DAE26660118AC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368951Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:47.265{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7352668E4344D76EF0E8279C5F12E25,SHA256=14562C6CB39143A633267FA2F22774A2442A1E5AFD90B36A4B960D6D2991B418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368954Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:48.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A13A56642A3730866D3878183E087F,SHA256=331A70B4B0950950812EAD065184A8368E49ED5782FCB93D5488C5F72B160AC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322840Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.821{99D2EDAA-5E94-619F-0901-000000001002}37883364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322839Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E94-619F-0901-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322838Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322837Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322836Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322835Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322834Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322833Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322832Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322831Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322830Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322829Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5E94-619F-0901-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322828Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E94-619F-0901-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322827Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.634{99D2EDAA-5E94-619F-0901-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322826Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.617{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42BD67943C09F27A8130CED579889EE3,SHA256=1734AEB882D94C667CF3B6E43518F616274966E1F1F9B31E3B55A889C4431BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322825Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.492{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C4D97C4DCDB41B198340BFC372EEA1,SHA256=00FA9AE41AAD07A1E25C0A3E30B55FBAA8C300F7DAAB1795ABD78B645CABB2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322856Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.977{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=852BC720FA3BE5EB864627307A0DAC8B,SHA256=638061B88FC25E119EC989D347385F47AEE61143759AF4F9360893F20C983F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322855Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.977{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B28910A3C0F63C010D3BBC7A9CB8CE,SHA256=AAC7D224A36A59731786DDB2AE4030A7E17E1E0F73F90612C1C88B1E351D62B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322854Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.602{99D2EDAA-5E95-619F-0A01-000000001002}28842628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000368955Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:49.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0012E6A18E234D4A1E424776E4BE47D,SHA256=CCD63F6D298A12C932442A2A527CA75C163B6F29F43C0B9A337CFB073467FC69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322853Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E95-619F-0A01-000000001002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322852Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322851Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322850Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322849Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322848Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322847Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322846Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322845Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322844Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322843Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5E95-619F-0A01-000000001002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322842Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E95-619F-0A01-000000001002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322841Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5E95-619F-0A01-000000001002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000368961Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.968{27B459FE-5AC5-619F-1600-000000000F02}1288NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFfaa9e.TMPMD5=49B0042F3BC51E28EFEB859CA90E8111,SHA256=0FC01FE6DE4BE50A4543D18A46A15CB18800BB9E25174A9A66570CFD6420E9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368960Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.905{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABFCB48034094F69EF0F000AB71BF6B,SHA256=9D5B086B4EB4D89DB65DB4B036CB6225DB8AFA0B027C71A56CA88C9549820BE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322870Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E96-619F-0B01-000000001002}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322869Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322868Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322867Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322866Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322865Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322864Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322863Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322862Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322861Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322860Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5E96-619F-0B01-000000001002}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322859Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E96-619F-0B01-000000001002}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322858Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5E96-619F-0B01-000000001002}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322857Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.633{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37852C74162B926F1F055902BD616130,SHA256=B4CE663E513B4505BC8B0750AD17F26406E7ACB15FEAFA3559D00F0571B30CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368959Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.859{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B5870335E3DBB8BBCCD415BA36BE92C3,SHA256=FF37D3283D9674D8AC8D53E512A2240CA0225DDC7691157062A1A5CA19F69D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368958Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.859{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=20853A8A08CAC51A6D9FB86A880FF399,SHA256=AEDD8F41A35D4D82421B89CACC1277CE0215B89A981A17BBB185B10BF7BD6318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368957Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.812{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E158791F605C2DF6D3FDF6020EB72FF6,SHA256=E871AC008F114F2B470953EC8EAB40343E5D4E259FA4DD1EBF456273C6E0CED4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368956Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:47.027{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-24583-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368962Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:51.906{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1975FB0243276DCA7299E6E402E66327,SHA256=7D9920B6DA26BA5C5109F17D61D2F05DD0F0492EEAF91B3E9E639A409EF3D1DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322872Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.635{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49934-false10.0.1.12-8000- 23542300x8000000000000000322871Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:51.633{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CA33866ACCD3541EFD613567078ABE,SHA256=B6AA31360987FB67B393F9613965776B42BB0C0242970DD24CC07B97CF280FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368964Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:52.921{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47DAD7652D7BBC24A8BA6858E6A51E4,SHA256=CC36401FC391573832E714815B07AA670991CADAECE9398B21E4B7D1F357C37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322874Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:52.633{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB61C526BF8975074A0D052962B54DDA,SHA256=A327FDDCA60D3AD520D56DC71EE95145DFA4C46D6CC7A815F156D4B9B24EC9B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368963Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:52.405{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B5870335E3DBB8BBCCD415BA36BE92C3,SHA256=FF37D3283D9674D8AC8D53E512A2240CA0225DDC7691157062A1A5CA19F69D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322873Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:52.055{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A58D9B99E3310662F9AF674888F3BDDD,SHA256=C8BD27A46B5807668758FF2B894CEC229C6E0BC2559C5AC84B4F21C1FB2AA9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368968Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:53.921{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E6A140EB340520FE469BD883EF5728,SHA256=ED9A01A6C21EF188D602726B308902B1386658C9069F98BFB742D37CAB301203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322875Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:53.649{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CB384CF25A6B755227ECFE7A1B0379,SHA256=65520861C0A9B9ECF81BF8C1E43F4F74A51D88A9EFDDB06B215E385E11258F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368967Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:53.859{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B74793CC112E037C70570E7CDB354063,SHA256=79D9B4439C1492673C154E059B975305E8F6011B8D62949CE5E25E59F0F5B035,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368966Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.747{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-35728-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000368965Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.057{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368969Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:54.952{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A794EB4927F145743E50DB095BACC72,SHA256=A97CA65B862D7E449390D920924F99A1B8EFE4BB754BCB4A16A530A2F0CE05C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322876Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:54.664{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904AA2DEC024B8E4A4C0C25C68C79B12,SHA256=7CD2C593788FE2582FE2DD1FF8E2FE9DD7BF5563C9BE309254CE298909152E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368970Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:55.952{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280382BDA72691FAA2E5A63142D48381,SHA256=8D815C64277E8BB3A5DB176C9A018475DE7EABB60E6A3B80E39558E472C1F899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322878Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:55.668{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F438EA7B80B8F09D5CB3BAE5DE75B29,SHA256=1F89EF471649FEA9B4114F7F701CB54D418AB21D1D4D44A40D9D3B29E59EA5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322877Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:55.451{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-015MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368971Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:56.968{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F351BEC5C3448D189EEB8E9CD4C1E78A,SHA256=5AD0C2FBCF52EEE65AFFEA77EEBEBA9D7FFC4D0430951F6241A08FFE5EB06860,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322881Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:54.716{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49935-false10.0.1.12-8000- 23542300x8000000000000000322880Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:56.682{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B5AAB9896D6C8D10589F1E0484BE08,SHA256=F436D1716E38FB0F02C22A5DC9A904B378A95EBE50AD256D30B35F4879C1CBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322879Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:56.450{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322882Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:57.716{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22E44CE03F45DEDA8C9EC28D25C3928,SHA256=09DE5FBE37191737D43813989E41482B280D31F2B360B3EBE8AA0FD0D8395278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000368975Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:57.437{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368974Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:57.437{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2B00-000000000F02}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000368973Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:53.475{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-45157-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368972Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:57.046{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DD3131EA63621D54E665DDA60796130,SHA256=BE9385DB273094575E6F70B4747F5E9CA5219C526672C0327B2FB33C3D38A7A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322883Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:58.763{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C83FFA718B82BF2D410E5D5F5A74EE,SHA256=B9BF05B8CB2D30A11289657CF3A4BC4982F2475BDA3BF0A59CAA0EE0DCEE15FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368977Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:58.173{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFD4795807A43C24EEA5EF5893EB866,SHA256=CC3D1CC532CCA2A2E2466D221415C64C60B0B3FE44AB5606120B85A130446538,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368976Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:55.226{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58825-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000322884Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:59.807{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5E0FCB7967707F9AD8FAC8E3EBA022,SHA256=84E2D21258BB887E14BD6A648A88E15CEBB2469F3D95E59C35AAB423BB0DFE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368980Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:59.892{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCC2312721A6F667A0CC271922A04E2C,SHA256=9598C93C286BE9AF8133951F81AFB59676DF3F9DD22F6793208ADD21D5B22F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368979Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:59.202{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F2DDA793A3816EAF2A4E569909B35A,SHA256=54D9EFD786479709BB47F8704BD72F14B9B12E6115A01FEFC1EDEE47BA53B5A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368978Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:56.408{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-55258-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000322885Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:00.870{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FA16B9010971CED4B1516A2C1067CD,SHA256=D624CF349518C4694885B7DBCBE9B8EE2F6DF832706843466FB53C035F45E6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368981Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:00.220{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2A2393DA52C779D52B8EDB906DDEDB,SHA256=B021EBC1917A397E7A12FBB09268D5CCCC080F423F9A02A4D5BC574B4CDD00A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322886Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:01.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947649622F55066F8E847230EB75DAC0,SHA256=DAE317BA9D1BDC3ACC2A4DAF31C18E690567DCE2A70182630B5C15AA75773B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368982Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:01.220{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93138BFBBD93FE73186FAE4A39A3162C,SHA256=71F04F0BCD4D4057E8355FD59318643FB70DE758C3466E682D0A3AB8FD624E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322887Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:02.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E2CF063AE51403507008248CBBD728,SHA256=1DBB7C314B5499848B6E92615202EADE98C123DBE7BF04786CAE307675120E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368985Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:02.220{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0D08AB2535955E1015FE3F2B3FE781,SHA256=14B1FAEF4DFBD113A4BF74C838CF8A7AAFD45D80BC1B13FFE3AEDFF5298C5509,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368984Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:59.244{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-5575-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368983Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:02.017{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=926D174E9B47FBAC4B1064B6F2F0D483,SHA256=668F38495496A446A20092AD779F83336A169188E48C5834620F0BC5A2FCAE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322889Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:03.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D85C55DFE8A0B92AACA620911C1ED52,SHA256=A52296727B8F349DF3CDA94A074B4AC85240B800C22ED751CED8FD9799A57B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368986Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:03.253{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0EFECBA3F25AD6DDDACBD6D0042363,SHA256=E7848F802E5869E693F4753C54E39A33A642D9452513888794D8712097EF8C4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322888Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:59.793{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49936-false10.0.1.12-8000- 10341000x8000000000000000368998Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA4-619F-3C01-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368997Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368996Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368995Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368994Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368993Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EA4-619F-3C01-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000368992Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA4-619F-3C01-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000368991Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.471{27B459FE-5EA4-619F-3C01-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000368990Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.329{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1C6428EEDBB90B6141AE79FE7200FA5,SHA256=AE24DB82B73D91955B065A5663FCBE3A951847D103E67041E637BC15CFBFE81C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368989Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:01.474{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-13297-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000368988Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:01.181{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58826-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368987Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.267{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2857A54814A41C6723C6FA9099FA87A,SHA256=370D40F20F191A57CE534F6AC22C66A058DE6CBB09D4849DC86E53F32C3D082B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322890Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:04.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD29D34C5A44DE398EA60EB1AFB3E3E,SHA256=BB4F159436A3F5BF5E613167F587B3235A7A2D8BF8F3B4BF2128020E7E917E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322891Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:05.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6988C44C052003502EB254CB1C5BE37,SHA256=B0C4B38B1AAD7E71F836E40814B494E1B2754AD197B156BAAB423272961FB810,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369010Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA5-619F-3D01-000000000F02}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369009Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369008Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369007Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369006Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369005Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5EA5-619F-3D01-000000000F02}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369004Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA5-619F-3D01-000000000F02}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369003Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.552{27B459FE-5EA5-619F-3D01-000000000F02}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369002Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.501{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9895B882A55110F65E237833C5B0E80B,SHA256=D7BBB3C244316A6D521689C4B820862E035535E247C3FE9A93B39C39CA19B961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369001Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.360{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085CB614E73EFE92AF6E7F325746E8AB,SHA256=AE5E4B9AE3FB74068F6EBBC3CE72360A83B8E1B47D164E17203323CB249B6D1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369000Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:02.556{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58827-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000368999Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:02.556{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58827-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 23542300x8000000000000000322892Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:06.932{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEDEC7387B8CE573537A5824D1AE4A1,SHA256=79671F075DF6635B7738EA0E637D22D86A015741A8362E854D8A76D80A7A3E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369013Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.579{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBC57CD72DCC57F3D399539EB9D145F,SHA256=C73B64031C2551D1E46FD8B85632DE94C0368AB66313AD21B0F858817FC84348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369012Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.548{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=637E1BB74BE684FAE8341755F8077FE7,SHA256=82EE31FE7B1BCDA1FAA47068464FE19BF0239857AB31DA0FA35834385B982138,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369011Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.173{27B459FE-5EA5-619F-3D01-000000000F02}53004036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322893Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:07.948{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09A1E98767EA542FE3C899F1CE16DDA,SHA256=68761A8DEB43883C5EA281CEB501E3AF3AC83090AF5D2AF31B0D61A767594354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369024Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.642{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F58B70B88A271394E503212E6B63AB5,SHA256=C8655144D1528351CA5FE851FC6DBCA63CEDC6D69DAC827DE7DCEB073D6019E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369023Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.642{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6A586F7CC239B83964DAECC25C0B9B1,SHA256=0AFF67995F82C02CCD9C138368350489A423D59E759CA854F7E5972ED9AB29F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369022Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:03.762{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-21374-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 10341000x8000000000000000369021Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.036{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369020Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369019Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.036{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA6-619F-3E01-000000000F02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369018Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369017Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369016Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5EA6-619F-3E01-000000000F02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369015Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA6-619F-3E01-000000000F02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369014Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.565{27B459FE-5EA6-619F-3E01-000000000F02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000369034Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.986{27B459FE-5EA8-619F-3F01-000000000F02}13124900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369033Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.736{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA8-619F-3F01-000000000F02}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369032Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369031Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369030Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369029Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369028Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EA8-619F-3F01-000000000F02}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369027Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA8-619F-3F01-000000000F02}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369026Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.549{27B459FE-5EA8-619F-3F01-000000000F02}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369025Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.673{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218E80E49FC38B83BACDED9072D64D3C,SHA256=DA7D7BBECD732FA94EC233D727F968E0FF29AF2AF3147A5A0F3DB95033B6C58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322895Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:08.963{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF900357F8A05ED2CCED9FC03C9F527,SHA256=F907D8BB44863A052A37DF5BB48F3AA00A4E396A1CD6A3630D800810AA54C11D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322894Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:05.809{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49937-false10.0.1.12-8000- 23542300x8000000000000000322896Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:09.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DB667DCD3E12A72ECE88915CE3EB09,SHA256=7A258832922328101C87F683C203AE1478D0CA661C16F5C2CB4405F97B978AEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369047Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.861{27B459FE-5EA9-619F-4001-000000000F02}52885324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369046Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.689{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CA70D68FE3F3201889619C9BDB96E7,SHA256=3BB14BD34C885B8C4741AA7F2EDF41CAD2AC9E160A454795A73895D23A6B4841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369045Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.564{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1BD547E179E2BF47314A0A8EACFA082,SHA256=4FC2EB7625ADD16641184AD055B6A1DF1896DDFA0FDD1CE6601D4352D2543B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369044Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA9-619F-4001-000000000F02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369043Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369042Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369041Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369040Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369039Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5EA9-619F-4001-000000000F02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369038Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA9-619F-4001-000000000F02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369037Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.440{27B459FE-5EA9-619F-4001-000000000F02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000369036Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.292{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58828-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369035Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.132{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-29311-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000322897Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:10.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8B579F3A90620AB3DA3D9093DE0D62,SHA256=DA81E181C86F2F4163DD030571232960F8F723A2CA057442E9F5B3BFC6EA3B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369057Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.704{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054B20098A02886D6C1D416C3BF0062A,SHA256=2BF1D3E8E7D3F65191C77460E77CC7B8356BE1A458B44831F1AE553BD4FAFC67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369056Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.642{27B459FE-5EAA-619F-4101-000000000F02}43444424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369055Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EAA-619F-4101-000000000F02}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369054Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EAA-619F-4101-000000000F02}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369053Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369052Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369051Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369050Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369049Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EAA-619F-4101-000000000F02}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369048Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.331{27B459FE-5EAA-619F-4101-000000000F02}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322898Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:11.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA9576AC5377867E53CEB632E297ADF,SHA256=4A36761E5FDD082099FD57D2393F4619049A5D01BA9C406773E43E17DC5EBA79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369059Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:11.736{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAE14D389021799BC9493F15FCE5A6C,SHA256=218E068525B5C4EF9FC57841864C54812EFC99B2447C526F0321E12639111646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369058Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:11.345{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B04AAB04CADB6C6A551B481E2EEF4E2A,SHA256=84BA08A3DA6A6ED2129E470FCF68036D523731535E5E1B334FBE520CCAC19B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369070Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.783{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB5C06538B0242F197EF7EACF0E04DB5,SHA256=F17E432824C43075CA206C8801779AD67E0072BE84A46ACA44F2BA330DEFB35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369069Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.736{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4ADA415CE64B6F87DB5042E57E3E41,SHA256=14CEF4C42D71A677B6DF9E0788D852D202B540C54C6B7397DEEEC716A603F4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322899Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:12.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2CAB3C5170AF8AF03D02ECF1EEC57B,SHA256=D2BC2FFC42D6CA2E0C9BA53468F1A1E189E538A34132292548BA8FAEF98A64AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369068Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.171{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-39932-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 10341000x8000000000000000369067Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EAC-619F-4201-000000000F02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369066Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369065Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369064Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369063Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369062Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EAC-619F-4201-000000000F02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369061Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EAC-619F-4201-000000000F02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369060Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.096{27B459FE-5EAC-619F-4201-000000000F02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369071Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:13.751{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7883932A533D67635571CE73ADB7CA16,SHA256=B1688BD019101D4B29FBFF941DB1B4CDB86DE2D15F103425CDCE3A060946B2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322900Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:13.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DFA42009EC46F7E80E80797B6257F8,SHA256=3B61418A0A1BA578AAE7235C4DA1D6326D3351A4000C44A7A990ED79B76B1131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369075Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:14.876{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2924B8A080075AC2A2EAC5F6DFE0AF51,SHA256=B29DC8A6A01861AB0764611CB33D66191FBE9594969E467553C7B5259C8816EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322902Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:14.995{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B5384F915FD87FD82243FCFC7891D6,SHA256=E987CAF7DBF18FC7EBE35F168C20068FD5BBFF46C0DA0678F22C18931B2A6769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369074Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:14.580{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369073Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.129{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-50516-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000369072Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.119{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58829-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000322901Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:11.684{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49938-false10.0.1.12-8000- 23542300x8000000000000000369078Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:15.885{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A8C7735005794EFC9ADF16DF53A028,SHA256=75888480D8D6E56021D1C51541D6D941180DA2534B0BB84B581F445EF0F02619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369077Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:15.590{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-015MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369076Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:15.226{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5149B60EA15F6A124AD6B3A0E5300847,SHA256=75E8AB68CCD7F0A1DB012D1B1368F3BED2F65D703826724B5F36E7D254DC98D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369081Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:16.946{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8DE0C65D51B6C78CA33C498A697EB7,SHA256=898E7263EE2226738B22276EC35BCFE5C362C41FF2A9D850FE0E262EE9FD9513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322903Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:16.010{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A737A0C6934FF05D8BDF477823B5D4,SHA256=30AE54A6BE74B5A0828FF3E5CBF2AB093668E4BC0E0901077EEB063DD37DD5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369080Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:16.573{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369079Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:13.603{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58830-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000369084Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:17.951{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7952769F64A26FCB5FB214CF29D46A3C,SHA256=8E1C33B80CAB274DB768F13A189667FD9850C9520D9CD15969AAC3F893B957D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369083Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:17.560{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B40D4A40738CE646CCE2CC6380F11D8,SHA256=9545D1ED1F0C928204508C98B0732953EB215F18101104340D70869F9FEAFB0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369082Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:14.506{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-58552-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000322904Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:17.010{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B39046AFBB1F52CE2CA9742082C8FD,SHA256=D9E14C56A1B068F8FE6C529AB10BECA618C477543C5A0F7CEB8AE5B0CAC2A465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369085Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:18.951{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7782071E1A2BEF4ADACD1962667AE310,SHA256=AC1482D0257C244DBE6B58AF6894F2743D5ACB0ED1467E5C278F450EC006A658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322905Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:18.010{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B858D2CE4A18FF78E43ADA0694A63F,SHA256=CBC59AA3100755515A8EBA539DD1163F191799274A0B0064BFE0EB8D1C432926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369086Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:19.966{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508DC6620C6AFCF576EA6A65E99983C1,SHA256=CBE316F721AC88273DF1CF19901A9AB4773D00AA8D1E011CCF90E93B94A25F10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322908Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:17.591{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49939-false10.0.1.12-8000- 13241300x8000000000000000322907Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:00:19.506{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x41000776) 23542300x8000000000000000322906Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:19.010{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A6C9FD6DF8E873734053EB828CA55A,SHA256=09A0D2C13EC64B44D60AEB3B21833A111A748D0DCA8135FCAD816AA3C2191BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369091Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:20.984{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA063F94991778BCA673FE199AD31E8,SHA256=08381F12D630FD813771E948D438E2CC9F3CA404EECEFB3FDBBB1C5647CAE5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322909Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:20.022{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E19045F5B4A9F25B39BD2059C3AD657,SHA256=A99AB3BF0BF1ACB0E39CAFFD735A601AC50EC4D4F9F447065FF683DD4AE907C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369090Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:17.165{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58831-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369089Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:17.077{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-8457-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000369088Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:16.839{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-266.attackrange.local138netbios-dgm 354300x8000000000000000369087Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:16.839{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-266.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000322910Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:21.037{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0F93A25CEC5A59B69B5A563837969D,SHA256=063345F2E8ECB862304D9C33788961B5E11DEB40D3E3D8CEAB184B214C4465E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369093Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:21.326{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E307067EDE6FA6654C67C817F475C87,SHA256=1A82C3D994950B80C38FE50804E408B2B7087FE2F1A905DE6E082AAA3A2AC3F0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000369092Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:00:21.247{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x4209cec8) 23542300x8000000000000000322911Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:22.053{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4AE5D39C881F7C38771D7671DC3294,SHA256=21F4374F367ECBCB16CF08768F3D997913C9A3FBD347955DF7CE44CD1EC1DDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369094Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:21.998{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E2FA96AF6BB71A80374AC272368CE6,SHA256=089A9F22437BCC4C235703D1C3F97498EFFBC6B25AEF8AF6AF277F367FE0F3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322912Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:23.068{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4774A25B6EEFD8254FADC2C16302ACE1,SHA256=01ADC8E72FEB7781936FD4E03BFF3F6E8ED52DD639591120E1C29BCE474CF972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369147Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.982{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxnmsg.dllMD5=6D4200720B659B72D790526B09FEDFF4,SHA256=66C3CD0325D717523BFD14EAB1CFBE13F614BA753AB125FD734747ACB27EE9CF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369146Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.sysMD5=060959F9BE8EAEACB47255658A7018CB,SHA256=6EC9C4CEC786FF06EA2D6F547798FAE4E255662219FD5536D5FAC7B6108B729F,IMPHASH=5A9046C211055D28BF0892E100F10D44truetrue 23542300x8000000000000000369145Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.PNFMD5=76ECEA82F53EF95A76B2207ABDD1FC97,SHA256=C2730843E1517FDEECD302D93FC7D629A42C4FE9060F6FCA37A7085759907571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369144Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.infMD5=1B69FDC8CCD34B8B3743C8A97C2E90AD,SHA256=83CCF811C2F2F9F8337270D5AF00AE41E76F8BE3E83B1B46A9494A350BC4C142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369143Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.dinMD5=E3142F1ED12D1F1D6574C564FEF14A7F,SHA256=A220E8A7BF2233813DE1EAFD17A075C3B4E071B52E48D9EE17FFA199527A1F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369142Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.catMD5=760F99775B12D3C68FAC49268C261656,SHA256=FDB58B626E4F572F8257D70CA888CC8F2E35B770329FAAADF9BB56C6456C4AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369141Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\NicInVXN.dllMD5=C8AFAA519298C27D145550F2D57B4F94,SHA256=A92B47A8D57DFBAC758E713EB6A62A5969E4EF00DE3463C1179A8133D0A7D620,IMPHASH=913216F349C3C30723EACBE7EFAC0752truetrue 23542300x8000000000000000369140Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.951{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\NicCo4.dllMD5=0BD0040999429E77C02912F052B4A8DC,SHA256=C0109B670B60721665D62C9677B6A816009E7421C341B31DE7B2B76E357694B6,IMPHASH=5A14127160FF1090472EFBA582E1C28Btruetrue 23542300x8000000000000000369139Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.919{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem14.PNFMD5=0156163A3E5B27D5B84D08294B841F19,SHA256=09AF0C75866CB65DD6BD0295651724B1EDB3E8D5947A2C71A451890B3857BF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369138Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.904{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem14.infMD5=1B69FDC8CCD34B8B3743C8A97C2E90AD,SHA256=83CCF811C2F2F9F8337270D5AF00AE41E76F8BE3E83B1B46A9494A350BC4C142,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369137Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.904{27B459FE-5EB7-619F-4501-000000000F02}1964C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2021-11-25 10:00:23.701 10341000x8000000000000000369136Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5EB7-619F-4501-000000000F02}19645924C:\Windows\system32\DrvInst.exe{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369135Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369134Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369133Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369132Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369131Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EB7-619F-4501-000000000F02}1964C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369130Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EB7-619F-4501-000000000F02}1964C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\umpnpmgr.dll+b0b2|c:\windows\system32\umpnpmgr.dll+9f88|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369129Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.896{27B459FE-5EB7-619F-4501-000000000F02}1964C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "5" "0" "C:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.inf" "0" "484ad2367" "0000000000000BB8" "WinSta0\Default"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000369128Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.873{27B459FE-5EB7-619F-4401-000000000F02}5884NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\null_hecisystem.PNFMD5=B15D63802FF9708FFE41993E7158DAEA,SHA256=3FF15732BD811BDFAD0A25C2BF4B2ACA3650A835BF97E95A034336498B702E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369127Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.873{27B459FE-5EB7-619F-4401-000000000F02}5884NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\NULL_HECISystem.infMD5=9BE07E097B29209B5691B485F326B6C1,SHA256=ED89E7D2E5399834E6666ABA7770EDB3CFEFEB9D212951596C58E655CCE909A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369126Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.873{27B459FE-5EB7-619F-4401-000000000F02}5884NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\NULL_HECI.catMD5=21B9B34047D9F75857F25B19F48B21ED,SHA256=E1BFDF4EDC1AEA9B94D3CC1F531A4BFAD96743900ABE8FDBDD5FEC95C863C08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369125Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.810{27B459FE-5EB7-619F-4401-000000000F02}5884NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem10.infMD5=9BE07E097B29209B5691B485F326B6C1,SHA256=ED89E7D2E5399834E6666ABA7770EDB3CFEFEB9D212951596C58E655CCE909A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369124Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5EB7-619F-4401-000000000F02}5884C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2021-11-25 10:00:23.701 10341000x8000000000000000369123Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5EB7-619F-4401-000000000F02}58845668C:\Windows\system32\DrvInst.exe{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369122Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369121Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369120Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369119Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369118Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5EB7-619F-4401-000000000F02}5884C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369117Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EB7-619F-4401-000000000F02}5884C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\umpnpmgr.dll+b0b2|c:\windows\system32\umpnpmgr.dll+9f88|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369116Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.797{27B459FE-5EB7-619F-4401-000000000F02}5884C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "5" "0" "C:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\null_hecisystem.inf" "0" "4deebfe63" "0000000000000B1C" "WinSta0\Default"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000369115Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.779{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxnmsg.dllMD5=C4FD6144854107881753962266C11543,SHA256=AB9445DA45C287F09C5BE90EEAB1C2ED7B97982A34949C45DA407F390FACBDB3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369114Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.779{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.sysMD5=AF4E936C49B994EF0A141789C2290A16,SHA256=00D327607BF7D7695AE9A6EB94CB34BC1D8828E834F72D61D2748EFF2B3C5BAA,IMPHASH=E2B74CDB105BD582CF5327E3935D9693truetrue 23542300x8000000000000000369113Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.PNFMD5=94A7A207CDB8652E8A64430AA29827D4,SHA256=7200638615D6DD13BA60ABD2583A912D419E352352971324022C07D822C438B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369112Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.infMD5=199ACC11483A48E8BA7B02842AC2BE15,SHA256=9F3558265B484A5239797B4052E420237A40BCA34D1BE108EA9DD7E462FC6F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369111Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.dinMD5=63E4A99BED8B4322CE1A9692E675A125,SHA256=33D07248FDAB322DAC2B1AD7B01269C57BB6A4148191B9D6CABF5BF6C41742A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369110Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.catMD5=6630B6384092EA07EA6444D817194465,SHA256=C9D99D973DBFB23C0EF1B517C27EDA94477D7E5E94A616C20266D344E892E6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369109Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\NicInVXN.dllMD5=8697E77D522CCA7412460E377FBD7438,SHA256=B98871E10F6FA38FB6D8D4270085BF06396300B228D5885419453FA0C6395678,IMPHASH=ADC7B716DB197BAC9AE69CFC2A7017D8truetrue 23542300x8000000000000000369108Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\NicCo36.dllMD5=4AA441F4AD7491BDB2162F87A1DA6A3A,SHA256=56954C185A7D8CCD391C08FA998B59B13765688CD53BBCFC56E4FE2079B5E4BB,IMPHASH=DD763F8C38ECDB2B8D750E0941DC51EFtruetrue 23542300x8000000000000000369107Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.701{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem3.infMD5=199ACC11483A48E8BA7B02842AC2BE15,SHA256=9F3558265B484A5239797B4052E420237A40BCA34D1BE108EA9DD7E462FC6F11,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369106Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.701{27B459FE-5EB7-619F-4301-000000000F02}5804C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2021-11-25 10:00:23.701 10341000x8000000000000000369105Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5EB7-619F-4301-000000000F02}58042700C:\Windows\system32\DrvInst.exe{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369104Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369103Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369102Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369101Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369100Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5EB7-619F-4301-000000000F02}5804C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369099Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.669{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EB7-619F-4301-000000000F02}5804C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\umpnpmgr.dll+b0b2|c:\windows\system32\umpnpmgr.dll+9f88|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+29cc|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369098Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.679{27B459FE-5EB7-619F-4301-000000000F02}5804C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "5" "0" "C:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.inf" "0" "48643ea57" "0000000000000BB4" "WinSta0\Default"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 354300x8000000000000000369097Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:20.551{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-20315-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369096Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.482{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E11FD8911627519E0BB09AEA6084E5,SHA256=A60A8F802D087D06DBD17EA2C423B876A6A1AFA5484E791A8C378F010C01D0AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369095Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.013{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D734865D710A3E6235E8DEA90065D08,SHA256=2182179FC2086E812464D0E5488CFC311AAF90C39808C9D29A869794983ACF0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322914Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:22.790{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49940-false10.0.1.12-8000- 23542300x8000000000000000322913Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:24.100{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1489E6AAC6759855815F0A85E3863C35,SHA256=D9B0530247D31451BC32F61292B6ADEFFCC49421A3A3CD12CA220BE24F78066E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369151Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:24.826{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2C3EB7656A59093CD9A4F1DB2FDF8590,SHA256=2D4BD16108169ADC4FF0C6648744897E5904875EC8D4F227E8BC5F2393AE04F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369150Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:24.826{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B9A54C9055F808A2379E7C79ACD33287,SHA256=B138268C35AD1242C9C69A25F084D8AC4A338A0D2CA1A85FBDE5AB3534E6AA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369149Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:24.779{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEAEA411A38437CB419DEDF415521376,SHA256=28C3B0D11AF60381DF9D301D150DE86E4487E9B3C5D417975124D7A43CB6DCD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369148Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:24.154{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133B1FB6C6D6D6C79537CBE3CBFC0969,SHA256=5EDCE3795928CF21D60E0D150829CFEAD2E8442D66F2077FA90CF808A0702945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369152Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:25.169{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07E52DA0CED7D54A4020D999C078520,SHA256=005ADAF5C166B8A2B28D02C6E368987BD9DA6545D899B7770B3F313B49074ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322915Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:25.131{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93998F2A1CF95E131B75A2EA5F46FEF2,SHA256=30E6534C779D7650FAE2C572892037F89158883827BAE6ABD47040C384DAFFE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369156Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.119{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-28279-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000369155Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.101{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58832-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369154Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:26.201{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6833F060C31F01AB4AA184474EC20D76,SHA256=8C6EA38C3D198D9115DFA7C626E5A7F43EAD1BE64B7F093DBE155B517A3FBFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322916Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:26.147{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79017BA536CAD7048D176F0FFE5EEE4E,SHA256=A8A4FE2E9BB0CFD22648A7DD03ED086F6B4F7D8A47C75E0B7F9D303DBFE30E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369153Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:26.044{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A103C4A4D7F91875229BCF2B8BD61DCF,SHA256=31463FE12C475BAB9F84FAF5D88548AEB092068AF360B5691F8CD621B943E779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369157Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:27.248{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54796F320AF3171AEEBDF43E883962D,SHA256=D2679DC18E8CC228B65E3C031DB240B853224A9A56A57E8D4B91BD17CFFC528B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322917Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:27.178{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBB0717AAADA88E9358A25EF3E9DEBA,SHA256=9313CB26B3A1ED771BC899E3F47AE876814179C1DABBDDA2E4DAE749B72277FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322918Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:28.194{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203A0BBE2D9C8E40547588E0839AB9FB,SHA256=8632F531D23E78799A1798E041B259D6E67C42A3C98694077ABEA763FB0A08F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369159Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:25.479{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-35909-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369158Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:28.248{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA8E811CBC7FD63DEFDE3B4EE9D8913,SHA256=430DB32A46DBEBB28F620347FD72CD57D10793AF69845032D8D5FED0DB43CE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369306Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.451{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\WimProvider.dllMD5=1B0C7DFB2240BA004B37904073624DB3,SHA256=F2C7DB522DDE968EDF49B03BC10978AAC4C42C745CA4A474627E8CEBBCEBB00A,IMPHASH=20D31D66F56B810094B1AA564C92009Dtruetrue 23542300x8000000000000000369305Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.435{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\VhdProvider.dllMD5=F37C8F5BF852151D9BF085687A8DEC6D,SHA256=6CDFC95C2F2ED3695D5EE8CF4367A6C7FB5707DA3C234CEE8FA8C1BBDE426DE7,IMPHASH=3CA997A1A0BD38B850B18DAED5E948DEtruetrue 23542300x8000000000000000369304Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.435{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\UnattendProvider.dllMD5=3DB4777B76FC1973A61754FAEC348981,SHA256=29A4C7379E5A0A7532C90B5ACE0DD99AB5311D03CC0BA6A4BCFB410D7D8B01AE,IMPHASH=4FA75E8720452554D61C8AC5FD64C43Ftruetrue 23542300x8000000000000000369303Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.373{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\TransmogProvider.dllMD5=5E82E2B7CFF045C7CDA8E33EAB186402,SHA256=0038B82E999C3DEF3980D39A8CAED9EA6B52A4FC9EF58BF3B3F5FC91F7748112,IMPHASH=7746C0E3C7D3763C5F13C90D4934087Btruetrue 23542300x8000000000000000369302Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.373{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9E2E02612A14BEA2ED78ABB5C531326,SHA256=0907C76440B4A1E08BEDC9477C687F4A29C36EF3B69E3B1EEE2E70A09C660619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369301Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.373{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\SmiProvider.dllMD5=C5C7A9E3121B91E51ECFBA6FB2985044,SHA256=FB519B9EEF4C3344D58C768BD3AD7ADCB0677EA7B998056B6A13620CB9E61412,IMPHASH=03C38376DA7CCE75E82EECACADA0EA03truetrue 23542300x8000000000000000369300Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.357{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\ProvProvider.dllMD5=5077063311C5708318C5FA3E255011ED,SHA256=97FA95102B6ACF00C70F140EE9FA4A73A6BE7C03E0F0D99AE58DB5E492CD0ECA,IMPHASH=D8DD764BFC0F1D9E403714D169018B83truetrue 23542300x8000000000000000369299Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.357{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5AB2892746199C7A29C2B892EE5746,SHA256=AF2392A935957515F9F9496F43A4C84E1315D1F02A938652E127A2A69C2A1E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369298Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.357{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\OSProvider.dllMD5=4868187A2F176074DB7F35E356F74D4F,SHA256=84C8C4C67C808871A278254304D985533F67D44391840F43674FC829014E1B60,IMPHASH=82A4D833A82D441391A9AA3027199337truetrue 23542300x8000000000000000369297Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.341{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A733379D41E38FCFA953E44EC7DCA4,SHA256=99DE77809B20E3282DFE76DFE3D0D3A05476AF9C284667B7F2A6C1D402591167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369296Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.341{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\OfflineSetupProvider.dllMD5=86B7E8438B1125C479FD275B1BDDB9A7,SHA256=47FAF8671B25A30D7BCC47AD35926D70DB633A181FA6C276479B4408A526E63E,IMPHASH=B8B4A188EFC4F12D33591C6D319B6F12truetrue 23542300x8000000000000000369295Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.326{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\MsiProvider.dllMD5=EA19239A85416A488360FA564D312402,SHA256=F21591336CD1A24EE941827620405FA34414C1C349216B4B8083ECD1FFF17C29,IMPHASH=33E1132923056DDEFB0521726DA5B987truetrue 23542300x8000000000000000369294Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.326{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\LogProvider.dllMD5=F7DB4F104DBB56DF5A156E7329E80112,SHA256=7C67EFAF44D1413576B4575B1A4C975BCB10B64BEF13E6756E895D4DB9E61AA2,IMPHASH=FB695172E8A76C56E97CE435F8ED0220truetrue 23542300x8000000000000000369293Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.326{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\IntlProvider.dllMD5=0082903881275179642AE83EFA720310,SHA256=7CCF1625E6FBE4DB16F12AC037E4236A3EF269DEE47A157C68374C867941F9E8,IMPHASH=CFB81BC5FF922F23D605A653700FE666truetrue 23542300x8000000000000000369292Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.326{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\ImagingProvider.dllMD5=EEB4AA36BAD26A2C6216A1FF3439B58C,SHA256=44A6679425039DC870C297294C4B3323F6FA9DE5C7D16D7D0AB7E1254AFC75D3,IMPHASH=0264D9B4BFE54732ADF0E29BC73BF280truetrue 23542300x8000000000000000369291Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.310{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\IBSProvider.dllMD5=11DE34FCDB75E79A920D3B491F3E7BF0,SHA256=6B7C7AD8B1AD522B27B2CC5E4F76F56ADE4495D7D46CE4F997A68954F072AF17,IMPHASH=C755896FA14213058E34639A28868FBCtruetrue 23542300x8000000000000000369290Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.310{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\GenericProvider.dllMD5=397ED660129D40927A27B75A4B8FAE2E,SHA256=EAFCECFE911DABB4531E1331DDF2E119DCBB6B7A887D70BDE737EA76BE10EB74,IMPHASH=F55EE75573C110804DE5E50ACEEC1B06truetrue 23542300x8000000000000000369289Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.310{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\FolderProvider.dllMD5=6428B4D0C26DB23E9478F039891CD5C9,SHA256=55126BB099785C2F9CD32A30991082C47D62C8231D570A9D8A6F3CC599B25EE1,IMPHASH=B2CC5EDD42A866F7CB6CAE42DB969187truetrue 23542300x8000000000000000369288Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.310{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\FfuProvider.dllMD5=E27BC7F808E72F08372BA3C40B4B6344,SHA256=927B194432046C0D2ADF7C7B71E4BE85602C4D00A5D6EDA9F9DB9924E1C3447A,IMPHASH=8580AF5C1871319D05329DB2E96A8146truetrue 23542300x8000000000000000369287Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\WimProvider.dll.muiMD5=CC3B15540DDB521A300BAFF0BF4F902E,SHA256=33C06CC037DF1EBB72A15BCC2E09BC89DFEF7DD94441C650FD3D0C833122002A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369286Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\VhdProvider.dll.muiMD5=10536C56F02E68EBD13D0B2CE8665C6A,SHA256=06C3B71D251A8DD47D02EDBFBE84E0B6B1D67956DE4D3996031434CBAD728929,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369285Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\UnattendProvider.dll.muiMD5=B7E3676672BE6851EA13ADD879C2945E,SHA256=2D2D82EE842CD346B58DCAFAE6FEC46D491E0D15CFBE0D8964A4AB7F18C5AAB9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369284Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\TransmogProvider.dll.muiMD5=D5D596B1102DA565C2ED1FAAC170E758,SHA256=B5DBB36E947FD64AAF22C53F0A9634C7D72D4CC270C055B67E020920BF806909,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369283Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\SmiProvider.dll.muiMD5=CAD746ED5AF63E7FC49ED4A5A3984629,SHA256=016C6071B04E6D7E12AD9B8A85C002320331E01ED62922C573A1AC43BA0DD919,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369282Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\ProvProvider.dll.muiMD5=70AFEC86B6CF677BF8D3C713CA3281FB,SHA256=C8579EC95A51EB663FFC6145F0998C2F1930A6B8146C84C0A9094BCA4E5195A7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369281Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\OSProvider.dll.muiMD5=A464DFEDEA8520616AA9B2ACD166A77F,SHA256=54E985CFF256CEBE82E9EF3E814A5FDA9FF730BCB50265E9BA78DE65A4DE3F42,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369280Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\OfflineSetupProvider.dll.muiMD5=CED788DBD9D13D0490B2F642B0B051F6,SHA256=D5DBC0A52B598800EE14569859383525950B865F4816E47E2E73F79AA1C32A09,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369279Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\MsiProvider.dll.muiMD5=5AE9ABD6BB469F3AD7B3A4CCD40974BF,SHA256=C2CE66F2F218890AA76F8BAB68B4C0FDCED0688E694F912F3A5BFABFA6CDB5E7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369278Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\LogProvider.dll.muiMD5=0D4519BC8EB58A006E4A5EB993C0DCCF,SHA256=DAFFE67521F9B4657FBFEF9585234CB39293F9B866C0D97D66F675037515BB51,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369277Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\IntlProvider.dll.muiMD5=16ACB74928BC55FD4AAC316F3B92E1D7,SHA256=17CB486CADB679C75A27BA6C76E2FE714F4B8DA845E6F795759517D6734F0BC9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369276Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\ImagingProvider.dll.muiMD5=26F5BBF8D6EE90B4F47C18E93D1087FB,SHA256=F41738FEF7140176447ECF371B1117A485E48BA6F3E9AFAA8C4F883ABFAE62DA,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369275Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\IBSProvider.dll.muiMD5=0B09FE334215A8E736B2CF08A50D5204,SHA256=DCE9AD3B79F91BEBEDDFCD9E03F1557CB7C6114AC906081E9E046F807093CDF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369274Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\GenericProvider.dll.muiMD5=956B8B45B92321C0D5975EE9A6C5B773,SHA256=578541D71466CF61EF399023B34EDFCBD915142BE856534AD4D17D25E7CC9F3D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369273Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\FolderProvider.dll.muiMD5=DC4E4C2800DC6D98F7893044A21D246B,SHA256=8B4CE62F4E4294E701193C7AE393EB5EB29AA45932D376CB1A03728A140096AE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369272Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\FfuProvider.dll.muiMD5=5ECAD70AC2B3A95CBB42D6FE67D2F726,SHA256=C210389DBB9B7B4A802E4B0C3C708B6F55B086564A01E19CFB183B6AF916C30A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369271Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\DmiProvider.dll.muiMD5=38C2A1560C340537C3AE0CE04BDF7EAA,SHA256=52B06DFD85FB5AB1DCE2BE665CA144B1AE6658F518D1623D9B44C347C482B064,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369270Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\DismProv.dll.muiMD5=BD7B77B3EE9A12FF3F5446ECDF80B5C6,SHA256=B972A0B2C4682E9074441B481BD886DE19B8DB3DBA401B88E980B154C14D5A7E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369269Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\DismCore.dll.muiMD5=C901FF639EDFBBE710D6E5882F07CD24,SHA256=9BDA61D23DC50F9AFA82DA94B06B7B9C8229D5ED666D2F5270DAE13100815C27,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369268Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\CompatProvider.dll.muiMD5=A2A344CB32B6835744A36D877C952665,SHA256=A74D765B796638A921C4810D1712A08F7A37C9BA9E91F4DFDCB9727611C3D18D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369267Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\CbsProvider.dll.muiMD5=179B34BE97A383AF3E757031E7DA964B,SHA256=ABD3824664D1336EE849D89BA178606CC1B1E23E173752D8093F34A5580FA8F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369266Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\AssocProvider.dll.muiMD5=386FE7AC95738A0CB6D25DEA662991F1,SHA256=22DC7317108A528BA92C853330598F628B93FFF27CAC34C2F501B806A75261D9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369265Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\AppxProvider.dll.muiMD5=9FF5081115C2C21D9F85AF7EE6D2CC63,SHA256=107B10A8C1426F1C0D703F06832D740A4CFDCAA596FA0EA147A32A736A7A2A4D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369264Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.248{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DmiProvider.dllMD5=FC76385FF00D4A93618D842B41716D8D,SHA256=BBD49A49CFFA8411FFA91B02541F5F3B5333FD9055BC129DDD3B36EB005C34D9,IMPHASH=062B279D8ED4374A0CD0C84620F4BE4Etruetrue 23542300x8000000000000000369263Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.248{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismProv.dllMD5=8C7D97E22045AE402EA896F514CEED81,SHA256=76D3202E11BA22D277532A14CAE60E596975C0D8C34C7BE154F453EB1F7C37EF,IMPHASH=0247CB1C8FD55E43A448E359883057DBtruetrue 23542300x8000000000000000369262Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.248{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismHost.exeMD5=A59C22B77871CC18970038B7FA43826F,SHA256=CB84B51713BAD689ABB96560E57A71B276D4B28B1C09C7116EE85F5782A1B144,IMPHASH=734010D3430DBD2CA51B599924FE1424truetrue 23542300x8000000000000000369261Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.248{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismCorePS.dllMD5=FB88731B484D1FF4AFF5DB75A20799FA,SHA256=EA155388211E0C3CEF2C99BD5F341C9F93F1ECDA6F21096DB6F9DB2110686A52,IMPHASH=65E10DCEA11F7117C161DC7557B87689truetrue 23542300x8000000000000000322920Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:29.381{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8A09D1D2FB053AB28E4D9D648CDB5B6E,SHA256=F96E5F05AEEBA529AA1D289296894A2616A4DC3471D2E6472BC8A9EE49312054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322919Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:29.194{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96A7D7708E19A6C7D273AF7BE04028F,SHA256=4CE0932AF2883FE605C4D2F35DE69AE6C00CE2FEAAB5B90F258987823F73BD19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369260Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.232{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismCore.dllMD5=F1AB58CACD95921A04225222D03CDEA0,SHA256=EDE89F377FD46F95639413411CDA072D9FF63E72A399B26AB4870094F145091B,IMPHASH=B7B56C790C8AB7134B0680D8DFE46658truetrue 23542300x8000000000000000369259Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.232{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\CompatProvider.dllMD5=E5C1D020198EBEC1D5ABA640C9A600D0,SHA256=A80FD2846E05AB491BDAAFCE8854A04549A852066B82B90D757D9B6A44ADA8C8,IMPHASH=2CDD615C09EED7B572606B2A0C0EFD2Ftruetrue 23542300x8000000000000000369258Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.232{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\CbsProvider.dllMD5=D4A64C7C50D0C6BE9F8770177E2264BF,SHA256=E6505F9DBE17DF9E7E52B5FE1720E1F6482B25D262A47A320CF438C5FD5A5797,IMPHASH=99D5DC4FF67AB12670853DD4E32E8358truetrue 23542300x8000000000000000369257Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.217{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\AssocProvider.dllMD5=56CB83B3454882509791FBA62832BC87,SHA256=5B01524CC03B6EB58CC9E0FF479014EAF89EE7FDE2791BFF871BC90274D200AC,IMPHASH=83F73507B4613B09C6FA825535D8A81Etruetrue 23542300x8000000000000000369256Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.217{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\AppxProvider.dllMD5=8F6792DF9EC54934B76A68B1D7B66ECA,SHA256=E57CB2D5CEC5E1354F4E31CD08ADA02FCAA0E2DEA4B28C8F61683BFA3E875C05,IMPHASH=F1558CACACA712554EBD5926B4B3FE52truetrue 23542300x8000000000000000369255Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.201{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-winsvc-l1-1-0.dllMD5=09934F0F7227B9489D117C26EC20CD14,SHA256=CBE408A0AFF90986A6A7DDF022F96302B4FADD08A0C3C166CAC7A64D6ABF041D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369254Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-private-l1-1-1.dllMD5=484ED248F1A72C6E4E6F6C3F5A3339ED,SHA256=00E14515FE6FEBBF3C2CFC89A6F1A3D6F48B3E7A5EB08D50DADF69CE3F34CC47,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369253Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-private-l1-1-0.dllMD5=FEBE55EA884F3C1EE45ADE2734AA6BE6,SHA256=CD51DF334A600117133C9C8100DDE766D980456988FD333A40BE5A81C8092340,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369252Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-management-l2-1-0.dllMD5=0D45D811001E0A7683A2B7CA8A883874,SHA256=F44E2A85D7507159AE115C85C3497C57BE4ECB2D6ADDB30A534110266D56F92F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369251Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-management-l1-1-0.dllMD5=C36912B3A28B06F5BB24FE9BE49DA4D3,SHA256=D737A832C0D595E8E52846C2D748B911D7155E372F43FBB10513CFDE0BBF83B7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369250Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-core-l1-1-1.dllMD5=A86D518BCF3970C17A1768792FDF37FF,SHA256=AB5CC1B14D6BB708B5C87C2622DA886E2119A6997E08108CCE36080385DAEE71,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369249Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-core-l1-1-0.dllMD5=A329C75641638E2FFA11087F614FD4C1,SHA256=5071AA303D436407D195EF37889F018BE7E350DA5E690793587458D4C6D308DB,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369248Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-security-sddl-l1-1-0.dllMD5=C6C6C3E4D7CFA93246362901750A94D9,SHA256=6E274ABE823EF8B30629A99D9F942794C9FE6D003021A0C5085B49A7D8611DDE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369247Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.170{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-security-provider-L1-1-0.dllMD5=207B5716605CA4850629F3E2FFFA07BB,SHA256=BE6E6284F69C76BE6366EA8D44D85BDBAB6A71DD42E8B5575CFDF671AD58DCA2,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369246Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.170{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-security-lsapolicy-l1-1-0.dllMD5=FE7AD7265E296947172B8C491E8109D2,SHA256=4D231AC65F0F54BFF45CACFFE7DF3109CF87F78D14960EC8F03654E605AC8ABF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369245Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.170{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Security-Lsalookup-L2-1-1.dllMD5=EBD6475839F5C99FB8855A80E0FC2AF1,SHA256=F519C7AA6930DAC83A3045CEEE42F64F26FFC54254D5ABD1B0F7D99C47569A30,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369244Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.170{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Security-Lsalookup-L2-1-0.dllMD5=AC284A6251F5D26633AF48D918D09628,SHA256=F7A34B793AACF75DA4EAE843B6088C0BAAA8B835EA5F6A65E72EBD9A1479C8A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369243Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-security-cryptoapi-l1-1-0.dllMD5=DE0A49D4B2E9A5FA6762BD191C622B32,SHA256=AB12FEAF15CB313812B01AFE1198B62E72F7702D140830ABAD2CFB6251E82A7C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369242Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-security-base-l1-1-0.dllMD5=DC4B661366FEAA4ED54FB1004D9E7A3D,SHA256=B4018F8F249CE087DB46F61A0C2E947248A5B71576F511F0B3650433607BC663,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369241Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-EventLog-Legacy-L1-1-0.dllMD5=B8B7B02C3C66638EC0BDF49BCF04A680,SHA256=5D1103E89199731DFFF7BF89D7F6484C038D47CC04F730CD5233EDE488272E6A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369240Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Eventing-Provider-L1-1-0.dllMD5=FEAA05CE6CCB92AA7B2A2C58C049891A,SHA256=31A4AE262E179DF4CA406E1AF90F651935657BB5FD990C675C67E37D5B834CFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369239Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Eventing-Legacy-L1-1-0.dllMD5=88450242D5350529CC8E46FD9C3F3B7B,SHA256=312B6BFC89B551F2C4E8FEDAB316DBE01F190CD5E67091AAFB0E6F67616DC745,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369238Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Eventing-Controller-L1-1-0.dllMD5=00A27A81EAAE90C9CED7063013877357,SHA256=DC4EE086FC046E1D7A291EA3B8B13E77B7A252B5C283B8F6C9CEC729070B7822,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369237Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-eventing-consumer-l1-1-0.dllMD5=61958A4BE8F944BAFB29DF8009541FCD,SHA256=3B7CB5622BEAC7D633A84EE2F7336C8DE1D3D1AA10577D98020081AB67761FAD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369236Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dllMD5=8500E093D6B36DF1AF271F6EB34227CA,SHA256=99E2CD36104D3EFD4DEC88AD0F4BED1FD1BBFA97CC4FB29DB7F7136290DD6B70,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369235Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-devices-config-L1-1-1.dllMD5=5A03B636125C21AB918D2CB04843DBA8,SHA256=C914CD6FE6C7B16533763BC789EDAF67D7A19C26514C927572051C4379C79FC0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369234Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-devices-config-L1-1-0.dllMD5=0C61A8D9CF9BBF6D771BEF0FF4A43E23,SHA256=66807B95E13944D52E9A7AA1F1A41E632FAA46F6B48F98451618DB3845622577,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369233Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-xstate-l2-1-0.dllMD5=56A386E38B637FCD96CED04CEFBCF8DE,SHA256=A5BE1E3C71A3A5C8EEF4BFAD9D0BADC97BA47B2B9911CED4BD1B8F65BB8DCB77,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369232Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-xstate-l1-1-0.dllMD5=6A982D13DDB295E59F90FF23EDD2E60F,SHA256=3617DBCADFE370463B4DBB91C1C6222923F16EC362DE29C2CA3AE4E72C9ABB64,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369231Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-wow64-l1-1-0.dllMD5=AE7573E1DC370B9A8FEBCC17A6C82FF8,SHA256=59A473D1AD7C181C89AF00B966CD107F1846CDC526009C4807A1EAE3DCB3731D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369230Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-version-l1-1-0.dllMD5=5CB34501C2D784D31281FD526B0BB963,SHA256=E45B73AF0C35F05B01CADF6BD4F67C1497586F4C4F9A16F0448BA751E16C4596,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369229Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-util-l1-1-0.dllMD5=212DA9E9AD6BB61A3554A4174BA558CF,SHA256=01291D3895EC5BB0E658F91FE1512AADCBB6D8F1154BC6023076554AFA05AC1D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369228Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-url-l1-1-0.dllMD5=198A08F8150D7575CC207CFFCF67D66C,SHA256=86F6DA0F1D075B7E1678DF71689948FEC334CFB10316FEB40E5107135548F9B4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369227Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-timezone-l1-1-0.dllMD5=4D7C132D9742FFA44248B1BBF32020FB,SHA256=58A65C1938DCDF64D2930B037E9D133A5ACDF46365835782869D3216D3CF2CED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369226Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-threadpool-private-l1-1-0.dllMD5=A9BC53B62CD4B269B8385ADBE0AE808D,SHA256=A30003AB0C020E433CC5296E7E150BB11820395D439062FF7FD6D7F449C4C5B3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369225Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-threadpool-legacy-l1-1-0.dllMD5=CAC86F4298EB2D239410B3338780DC34,SHA256=1D99842180A612D63F1A8B137A9BF0375B7113AAB325916BA4781AB8A7B68E7D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369224Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-threadpool-l1-2-0.dllMD5=D32DDF80AB3F1F96F431E5672DC1F387,SHA256=E2F0F0D46082ED40D042BCCD47F4E917707CF884672C5919116126914FAD4572,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369223Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-sysinfo-l1-2-1.dllMD5=E83097DFE144367FA2231828F9FD89A6,SHA256=69FA978126192DBAB6AF11C9878D9C2BD1FD7E3FC899300244DFA4A1AC7ACA31,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369222Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-sysinfo-l1-2-0.dllMD5=8D842EBFFA7803451A3AC7D6907A6AD9,SHA256=808C22A733B5F6A4E601605DCF4043C9952CEBE825FF2622097FC5B4FACF682A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369221Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-sysinfo-l1-1-0.dllMD5=376E34D4A8F94C94FFF063810717612D,SHA256=5285A11016967E2017A8187882579CBD722371D0B7497B356149FC447160A521,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369220Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-synch-l1-2-0.dllMD5=E19F4FA6A6313F00ADE8AF26649A0BA1,SHA256=386F6CC0C3CE0C904A44A2FDDD11B2E5EA7782B08E69FD961DA5BE3C32BA5C26,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369219Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-synch-l1-1-0.dllMD5=95088E453B41A8B50E7340E6DE9CD09C,SHA256=E4938C16CA5FC7A8C9D87E4201FA2F28992026F5858F36A2A44EA22B5BD0889F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369218Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-stringloader-l1-1-1.dllMD5=FE1D00B19175DE6E9729F709C508DD6B,SHA256=D726F32AEB323F4DEA55D35441D1FF06BF3E212846A6B86D9ADC8F9DD1307B57,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369217Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-stringansi-l1-1-0.dllMD5=43F8D61E2EE0E253B973EFED0B3EBC8D,SHA256=1B9FA225A474D42FF8360141C8BC1EE1E7310958910931AC8E5A213E957700BD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369216Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-string-obsolete-l1-1-0.dllMD5=92C0A4E592B5D773C562A36CBA4E6E47,SHA256=5191E82E921398310FE9FD333F5CA44E6233358499EDD5B33BF8E9F0C9D3B88E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369215Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-string-l2-1-0.dllMD5=3E1902AF98905F00E62B1EC827EB0FC2,SHA256=503443DBF6E6E481EA1C661109CE17B3D55C4FEA001D77F11CD032BDDF64FD29,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369214Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-string-l1-1-0.dllMD5=D30D4587D051D288D1023DB0D826295A,SHA256=DFE66C8C205C95274565BADB7B3C19043917F6CD07A8DE34CE241EFFF9EA6676,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369213Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-shutdown-l1-1-0.dllMD5=1D8D1283F8279BDDACF8745AEDA3DB2A,SHA256=21BF3432160DD9851CAAC716DF3A41E39428A84BA9B9D3C63CDD300CB6928300,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369212Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-shlwapi-obsolete-l1-1-0.dllMD5=33BEFB60C3DC3E93FCE54A0515100181,SHA256=24B3FA4C5E8AB463BD2CFB704D7BFA7E8429726852EF582F94E44D7691BDD1FB,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369211Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-shlwapi-legacy-l1-1-0.dllMD5=699CDC66AA090D13EFF451F2006944CF,SHA256=6212B2B8CF5533F9DB6E366BBADED7A8D6EAD6667EA6A425B6987102669D8D96,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369210Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-rtlsupport-l1-1-0.dllMD5=F9672F68330CD16B0D1FA3A75B123AE8,SHA256=C5938839A3DFFBFBFEF432D0A95D0773375B4758FC160EDD04383A4B4273A18B,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369209Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-registry-l2-1-0.dllMD5=BBC015F33C0C3C2F9FC58C466BF8A30A,SHA256=1ED3511DC98353CA8E9B22A40C318BBD24484C25C171886B06B22AFD396ACFE8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369208Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-registry-l1-1-0.dllMD5=D132FADCBF190A1C68070E6D488E67D7,SHA256=E6F51C07641EF931C4F97E5D966242BB96A156A603A7769BEAE0EA61E9E25486,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369207Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-realtime-l1-1-0.dllMD5=792C54B79CA333ABBB51BE66815A98CF,SHA256=1E3B3505560AB3E641C386473A83AA194D94CD5BC6CC4FA718D003D1FF899601,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369206Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-profile-l1-1-0.dllMD5=C4E53285E8C51DCBEFF5098215759D69,SHA256=320A6138FE915BE7E83F4CDC2024531948185C3BFC939CB367A53F1AA74BFB2C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369205Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processtopology-obsolete-l1-1-0.dllMD5=99E3ACC47F10000AE67A577F5893FD5A,SHA256=AD01524D3FDDC25C91292808E7B333B587C902E996E557885E79CC10F9A66214,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369204Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processthreads-l1-1-2.dllMD5=DABFBC1EAB7AEE555F3BAEAF981EC7EB,SHA256=3070505B0B060D9EE9C2B699A518481A22DC15ECAF9603089FCF9EBC022179C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369203Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processthreads-l1-1-1.dllMD5=8C5DF20B2E2DE6BA6717A597A951E4F7,SHA256=BE42C78E3F21CD6E74811F27E1B76C4FE8537FB149EF34EA455F22AAA29720ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369202Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processthreads-l1-1-0.dllMD5=3D0CD1FE610E55E8C151162004A1429F,SHA256=D43535460D9CF2F2D348E9F2027DAF9FC0C0C906D5066E15F86332C839C94651,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369201Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processenvironment-l1-2-0.dllMD5=BB20192D0B22AD2EBBF4960B66D2E164,SHA256=23E758C4F7646AACC2DE8B8930BB272115F726F27E5437DF606E1C2328FA48F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369200Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processenvironment-l1-1-0.dllMD5=2CF62C9CF255C15AD1C8B1CCDD9453D6,SHA256=35CDE2048D4EC8D5D02B1CA57B81B8D5F579541EDBAF5DA4485A6323B8C3A805,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369199Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-privateprofile-l1-1-1.dllMD5=FA8EFF9B35BE58F70CD0014DAF108819,SHA256=835F086B0884E8E1689D661657F258FA1E71439672E9F0CC0140D614DAB6FA6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369198Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-privateprofile-l1-1-0.dllMD5=C8490BC5ACB353CAF140CB12670883A2,SHA256=85F3FE5E802843596F466D479111658B08271E48CC1821EB17E6D299D523C95E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369197Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-namedpipe-l1-1-0.dllMD5=D8F1E545D80C2045881C7F0525558D80,SHA256=0D9C3D6A6DF364F812D370258C1B3D3F97584E9F7D36569D06746EBA1695D368,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369196Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-memory-l1-1-2.dllMD5=9F77AA276A31F36805DF003F9E66BD99,SHA256=26425008D97A2EA8B95AF52BFE47CF5DE1DE9BB3E25DF77123B85C895192D7D6,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369195Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-memory-l1-1-1.dllMD5=728A5655624D5B091E8E216BE90D9EF9,SHA256=A2B17F63065CC760FA9CF5D2950D0E13613997546C90CFA1C094CF32171D49ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369194Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-memory-l1-1-0.dllMD5=BA6B6729DC95AA60AF31A160E2CB4533,SHA256=AA433713D5D1DB4413E9F5D938C0C452BAE8EB1BF8CD011803464BBD893BBB08,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369193Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-localization-obsolete-l1-2-0.dllMD5=B5727AD79BEBAAB6E6AFA381A28A8E9C,SHA256=C0E101B6BCDDC28A9BA24C7796BBDAAEFC14459E402FD53053F3C23E0D84D040,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369192Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-localization-l1-2-1.dllMD5=FD9B6F1EA88B7167E6EC227A61B90888,SHA256=2FEF21096468EE5C6BFC88971AFDB4CC07F6C4669375561863B85023C15684AF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369191Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-localization-l1-2-0.dllMD5=C8420A86D981BB6AA0D32001D234639E,SHA256=2E93EA8BB070C07C39B7F042B7D9843C4B74B3D4E69C8E33D89B0574B2D1D43D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369190Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-libraryloader-l1-1-1.dllMD5=787DCDC02E39A27A63B857FF6E819593,SHA256=91A7DEC7B636C00032D122CA04D4B8653B13E1211C54A4184F3955D2398C2E2E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369189Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-libraryloader-l1-1-0.dllMD5=AC90FCC4E819CD2EEED5D09A1FA42BAC,SHA256=2DA68FCBCE619BE5A90501F971467B7A894C6A705659346729E1E4E306EEB7D7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369188Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Core-Kernel32-Private-L1-1-1.dllMD5=E269D033D63A117DA8F3F855B90CCBFD,SHA256=41437C84BF757CC5758BF381600D0DECB00E8F8F56F11765203B7880AC4CDDD0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369187Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Core-Kernel32-Private-L1-1-0.dllMD5=58B0B7C61F098BD1E73E9C156CB38C64,SHA256=C366B92E7048081C7B336CEAB970BAA20AFDAEE2456820AA38360D1429C27669,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369186Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-kernel32-legacy-l1-1-1.dllMD5=912D93DCBE67A1373D93BACD0174E3ED,SHA256=0B94CB7472E0777AEFC1B3208ADDE41B893B78B3223F515FB86348D3362624C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369185Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-kernel32-legacy-l1-1-0.dllMD5=8E788763C9CDB6E5D1A313C08F7D621E,SHA256=5604FCC803BE14AD10C7A2372FB19BC80D43AD850109A670676982A4EC961473,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369184Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-io-l1-1-1.dllMD5=DC7E345A08B64DDD90906151E1D566E9,SHA256=ABDC082DAA40FCAF14E4E554DF23CFC48533F5A2157BD540BFEC49EB8E31E403,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369183Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-io-l1-1-0.dllMD5=A4381D04E233B96B657262DE9B31594C,SHA256=17BE2709D85E6B922BDF5D357FB4CD9416234F8E6685226F5EC776E8B3B5A678,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369182Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-interlocked-l1-1-0.dllMD5=39646EB20F4366691E3EFF958C99D1D4,SHA256=262D2C2EBAFFA4276F54B05A5A1DA125CC9DCCAF76EAAD3AAF7B23D54EC33C8E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369181Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dllMD5=0C5DE8F3B6CC9B44ED0A0556A02F4867,SHA256=D08261783A1749B08F7423923B00FD77E3B44265889B1F550A64239586BC8FC7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369180Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-heap-l1-1-0.dllMD5=51EBE577149EABD170684C2668F967ED,SHA256=0091D6C33047D8EF6E0F09E049DF2CABA5EE6B4F5B1870E0A369D3BF6DB72330,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369179Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-handle-l1-1-0.dllMD5=F83CB23123F3E4885547ED29F2BD2360,SHA256=495A9EC7C50D6D72F209E1F69C9B0C292D8D32FBE79FE675128786F8E351B988,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369178Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-file-l2-1-1.dllMD5=8B79E85DB9AA6D00794E5151455951BB,SHA256=EE600140599138132439FA9FB9FA6B028A9BF2A206A856CCB1106EFF45459C13,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369177Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-file-l2-1-0.dllMD5=455C1AB890C154076E0E23A42F10B6F5,SHA256=DB95D8AA71A8E0A54852C1A83E42267C72E26F2A111AD41146096BF26825FF62,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369176Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-file-l1-2-1.dllMD5=A9808572063E5A5649EA59F8B40FC7A8,SHA256=D4FD5081924D4B544188A687BD37127E0A38AF310E77C55F6EC22896B95B3C9C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369175Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-file-l1-2-0.dllMD5=4438E1D7952A77B7F71FF45EF821814F,SHA256=1C4FA5120E310E49C8112ACB6E594DB2F581AE4B6BA6241EEA4301E0E373959F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369174Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-file-l1-1-0.dllMD5=FF5C179E19923B65E650B11283250D50,SHA256=CF84455BC2AADF2960F0AE4D3691BF3032F412578CB2730A27848C6B26D00225,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369173Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-fibers-l1-1-1.dllMD5=A263189D905386A2A91CD2EB39D3365D,SHA256=7392027920D102DBE4C2C15590CC471063D6B1456CAA797BB71F8973C60B47FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369172Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-fibers-l1-1-0.dllMD5=A1827E232474C845B7A495D1A4CA6169,SHA256=A95088251923F1233CA4F5675457D6D6B2A1601734D4B5451420298491864746,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369171Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-errorhandling-l1-1-1.dllMD5=E98BCC3FA25D6DB36D50786EF08DBADD,SHA256=7BDA00F42BE64BCC1022EC3000FE2582CDF4CC89083D868ACA9DCE982C98C52C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369170Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-errorhandling-l1-1-0.dllMD5=14E8A42D84E459F617344438903680EE,SHA256=1FCB6E1908C13B5184373E83B3C13FCF96B55E4FBBC8AAF4D6E9DA604DB75848,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369169Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-delayload-l1-1-0.dllMD5=762D2E52FAFE433C50648FC23D7C3E76,SHA256=53238588E10FFAABA96C751D34181BA04A869A0474757E79D9FE82ABC3DC7CFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369168Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-debug-l1-1-1.dllMD5=1652E7B742F30832826B48E62485BFC7,SHA256=0362AFCDFB6CA89CDEE0DACEC94A5E45D6910B5337343149007DE2443050D154,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369167Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-debug-l1-1-0.dllMD5=E02F6786930435C736D71E9B6B898773,SHA256=4C0F43EAC3834878F16175B17427C0195A3213B7CDF9702447667D703AA29B54,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369166Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-datetime-l1-1-1.dllMD5=78876D83AA27E510EC3DC3355D034B92,SHA256=44A696C4626AF85EA565D651D7FAF5E21B6EB0C6EE47EE93419D8A7BAD565278,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369165Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-datetime-l1-1-0.dllMD5=CF9560A4450AC70C51866581802AE8CC,SHA256=A7A23DC37F028D38D2836CE881FCFF1FD066538588B207BBBCC3B1AB96E3AB62,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369164Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-console-l1-1-0.dllMD5=893E267BD0B91FADAC2A2BAE70FD0400,SHA256=17D17AC0383117E9A14D7687ECAA3B27AF1C71B89687A5C3E5B8761B2E64EDFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369163Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-comm-l1-1-0.dllMD5=C7EC73197892D7F63059C10D19BD5D90,SHA256=768E17ED08111FD22BAAC8FAC00C7DD87F0E57FEFCDAC58CE04B868528B2FDFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369162Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.013{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-com-l1-1-0.dllMD5=08A5A3129DCB52F3C4E51EE3C4A827E7,SHA256=3C6549832275052BCC2234CC4433D95407800ED65359F5147C4762EE0C71F712,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369161Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.013{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-base-util-l1-1-0.dllMD5=29CD6DDC6BADE9098B9A4402C6336D62,SHA256=B97C475AA8241C9B674E8C51C387AFAAA7977B036D9E2F7FAFB6CACC11D985BE,IMPHASH=00000000000000000000000000000000truetrue 534500x8000000000000000369160Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.013{27B459FE-5E7A-619F-3901-000000000F02}5360C:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismHost.exe 354300x8000000000000000369314Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:28.303{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58833-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000369313Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369312Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369311Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369310Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369309Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369308Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369307Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.529{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E11CC20887DCC70F2743880A6CF8E2E,SHA256=79D582B7BB7AB362D2EC9BCA31A3D9C4A7FF854EE4138F8ED449710C41CE38B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322923Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:28.556{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49941-false10.0.1.12-8000- 23542300x8000000000000000322922Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:30.209{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8A7709A85AADDD33C952E5013EBB98,SHA256=C627F65A05EA361B1C35F7E98471CBE14666156BC0E4F192FF3DE5EAAF1B5092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322921Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:30.178{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369317Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:28.902{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-46263-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369316Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:31.576{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFC5F44C97DCDF36FA16625410132F2F,SHA256=9E6E11EB2CEAE215B2E16BE15A8FB8AED583D232E97BE0C855886F4BA1FEA6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369315Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:31.545{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD28327F1BB9BC4E9FD82D0D16A921C0,SHA256=18EDB61CE3DF042FA57AEA43278C8D3F33BA74DFD2B1FA09ECD398F1B7AE601F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322925Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:29.727{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49942-false10.0.1.12-8089- 23542300x8000000000000000322924Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:31.209{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F078C3F48049E3DFBA76CB8F1B348885,SHA256=F5D20406810B728375AD4FE9AEB3DF1F84DC488A1C899F958E8E0F67F07EC42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369318Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:32.545{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3C47414A1F9947DAAC9797B6003244,SHA256=916EA0F93B368E31EEADAD3C8718BBDDF232CA8D0DD0A70789F5ECBEE50D261A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322929Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:32.225{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D01055B96BC1C7D5916D57CA7CE1A0,SHA256=D2C592274B63411B17DC760351C96CABD3F316DAC490C168F351AAD1F44EE00E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322928Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:32.100{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322927Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:32.100{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322926Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:32.100{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000369320Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:31.089{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-54146-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369319Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:33.607{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2362395FD74852A495FC15BF5D640E73,SHA256=4E705E8A995AECA4F8C098F4A8B8C32D4B1A457146DBC458BB287D53E204F5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322930Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:33.272{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6E6B2F8CF79699CE5F0968A73EB8CB,SHA256=2E195B33A99F12745AC6D3373A2F4A149B0CF2E3A2A1CB739B1E8DD99C720166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369323Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.623{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D912595B69D9E2EDE6858E242E34E4,SHA256=1CCC0CBCA48EA7D9DD60AAF4B8A7CF8D6E01B1F7CDEE4F652FFBAEA9D193AB64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322931Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:34.272{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CD2B3336BEFC3E1ACA6397CB484E47,SHA256=6643A5F997467C9F7BD31885030DD5A9F921C360EFC21E74A9159A073DC5D39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369322Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.388{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D357F49890E429A06D1B6B849FB03BE6,SHA256=81B08DE7AC98C1F52DD1A0ECED024CC970D8EC798B56B3057058B7463358E4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369321Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.123{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6C8B1EC701A5F07733E2089C7B32ABA,SHA256=991DA6633972D91A06563E185BCDDDFACEF5C96038439FEE3E8D0DE03BF7B8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369324Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:35.639{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466A9EDC19CDAA4E1C5E8F84E6AC46BF,SHA256=F7B827C18DD5E77832D6F5AEF7C16BEB55BEB5329D2B6D917092AD7702E1CA16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322936Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:33.555{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49943-false10.0.1.12-8000- 10341000x8000000000000000322935Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.366{99D2EDAA-5ABF-619F-0B00-000000001002}6162332C:\Windows\system32\lsass.exe{99D2EDAA-5AA3-619F-0100-000000001002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000322934Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.366{99D2EDAA-5ABF-619F-0B00-000000001002}6162332C:\Windows\system32\lsass.exe{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322933Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.366{99D2EDAA-5ABF-619F-0B00-000000001002}6162332C:\Windows\system32\lsass.exe{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322932Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.334{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC2FAC266B1454EB9D3F5E8115F07BB,SHA256=41AFAC3371733CE51E4CB4D0CB394F9EAE72CCC59F67DCC9B084A96E1751847C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369329Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.371{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-49944-false10.0.1.14win-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000369328Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.161{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369327Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:33.439{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-4298-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369326Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:36.654{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6027E2F91167139E52011BD1034B6BA4,SHA256=43AD148824457BD5660C76D157F9B0D171F407E4641099174AFAD2C1D7D34F43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322939Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:34.921{99D2EDAA-5AA3-619F-0100-000000001002}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49944-false10.0.1.14-445microsoft-ds 23542300x8000000000000000322938Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:36.334{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BD07E366966BCF8F49D33F9E6D4608,SHA256=0355E8713DBE95F823804F06FD7A2CB6E07ACCEF3FF2FD69C6FA4F34A4547575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369325Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:36.295{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE75876EAD14530E6AAFF705AF6390DF,SHA256=DDE67A355BAB2AFFC9B35541C5D9F3A4EBE697E0A108B679C27AB575BBA4BF2D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000322937Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:00:36.256{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x4afbe7ec) 354300x8000000000000000369331Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:35.239{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-266.attackrange.local123ntpfalse10.0.1.15-123ntp 23542300x8000000000000000369330Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:37.670{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422F9008BD0E1E6F867C9280AD9CF1A8,SHA256=C2324FAB089AF59BEDC0E38964DE8866C314719E3198C501026B46A7AB5B1C9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322941Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.789{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-61.attackrange.local123ntpfalse10.0.1.14-123ntp 23542300x8000000000000000322940Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:37.350{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855E0BB2C0D97E80EDEDF3DD1D6699E8,SHA256=1B4F70ED2CC6A0E17518ED9159F89A1132F8B373EBA68AF3E8EBDD43FEA3C230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369334Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:38.826{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=830C2625F8679A2CAC9A69AEED128751,SHA256=69E592817482ACCED0319DEC8D25CE3F73BEE448B36709A427B29F58008294D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369333Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:35.966{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-12617-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369332Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:38.670{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76838CB6508E89842AB8F8B0640D2A31,SHA256=EFDD2A666FBE3944902A4916CDE6209BBC1D8B83FEB09D5FA462B0F8A2FA89CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322942Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:38.381{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D078260832A946ADDBD9860026AA9F,SHA256=9ECBCED01C763916CA1D65454AAB490D830CD0FC2E7460D485C7A48EFA46EB42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369394Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.796{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369393Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.796{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369392Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.796{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369391Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.765{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369390Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.733{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322944Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:39.398{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96EB2000443E0CEFD46BE2603896CFB,SHA256=98B0F964391C70DDB2B25B40063DFA43A4920EFA72623ED904883960DD4915BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369389Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.656{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369388Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.656{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369387Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.656{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369386Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.656{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369385Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.624{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369384Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.624{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369383Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.624{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369382Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.624{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369381Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.608{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369380Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.546{27B459FE-5AC5-619F-1600-000000000F02}12882092C:\Windows\System32\svchost.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369379Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.546{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000369378Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.499{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-11-25 09:53:42.788 23542300x8000000000000000369377Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.483{27B459FE-5C05-619F-B200-000000000F02}4748ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=E3C42322EB9D0A3E07C0E31B62E4FC00,SHA256=6A9B273357366326DD81162D7E727C71D9EAAE8CFF22202AAF79B0F3461E92C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369376Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.468{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\1.ps1.lnk2021-11-25 09:53:42.319 23542300x8000000000000000369375Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.468{27B459FE-5C05-619F-B200-000000000F02}4748ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\1.ps1.lnkMD5=26B0DCE4C2D45728BED2C3598508B9F6,SHA256=12FFC3C59F47CDE04FD1D9D15ED62108C57078158CF1818A327798A20623E725,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369374Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369373Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5C01-619F-A300-000000000F02}13444544C:\Windows\system32\csrss.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369372Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369371Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369370Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369369Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5C05-619F-B200-000000000F02}47485912C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369368Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.409{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\System32\notepad.exe" "C:\Temp\1.ps1"C:\Temp\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000369367Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369366Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369365Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369364Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369363Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369362Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369361Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369360Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369359Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369358Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369357Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369356Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369355Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369354Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369353Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369352Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369351Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369350Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369349Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369348Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369347Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369346Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369345Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369344Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369343Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369342Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system