354300x8000000000000000368908Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:27.117{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368907Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5039D4E2C771FB9FD505B4FA6048D597,SHA256=CE07AF810F0487D85F89C110723B257D955959A36D0358A12529E40735E583FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322729Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:29.366{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C1A084B9533AB76854B2C19E9EEC2D18,SHA256=BE1B419DBCAE528895AC3BB74F96BA229F4BC481D4886C405CB80BDE84C63312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322728Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:29.163{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1DF97A9F9BD0C436F6433EB59DDD2D,SHA256=14E8F143FB55FE2E2B53E3AEA8595ED80590F0300813F2985ED8AB1B51AE28AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368906Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.341{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3FDAC629F6322DF57EF5BC56BF3660D,SHA256=0524777DE2B1C26A546A2F1BA1A8DE125A282F2310A221D760C09CCC413952BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368905Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.278{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=20853A8A08CAC51A6D9FB86A880FF399,SHA256=AEDD8F41A35D4D82421B89CACC1277CE0215B89A981A17BBB185B10BF7BD6318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368904Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.278{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=008FA337F9BCA10B61E8BF8FABC392CF,SHA256=AE9E53BB18A6DE747618BBE1C20C41709DBA26727FC071F8D2195AE2CC5B335F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368903Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.263{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7334A6AFBF3D8B7154DFC3854EC1CA5,SHA256=5CD5B8619C0E1736E941AB4FA43D0D369120B3DBDA326662B1E8787D5183B26D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000368902Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PubSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplication\0000ecb9837aa96085e95a514805c6e0a2b900000904\PublisherAmazon Web Services 13241300x8000000000000000368901Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-VerSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\BinProductVersion8.2.9.8 13241300x8000000000000000368900Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-CompileTimeClaimSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\LinkDate07/08/2020 18:42:42 13241300x8000000000000000368899Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PubSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\Publisheramazon inc. 13241300x8000000000000000368898Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PathSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvif\xenvif.sys 13241300x8000000000000000368897Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-VerSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\BinProductVersion8.4.0.11 13241300x8000000000000000368896Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-CompileTimeClaimSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\LinkDate01/12/2021 17:17:37 13241300x8000000000000000368895Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PubSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\Publisheramazon inc. 13241300x8000000000000000368894Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PathSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\xenvbd.sys 13241300x8000000000000000368893Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-VerSetValue2021-11-25 09:59:28.856{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\BinProductVersion8.2.5.32 13241300x8000000000000000368892Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-CompileTimeClaimSetValue2021-11-25 09:59:28.856{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\LinkDate11/19/2018 22:01:56 354300x8000000000000000368911Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:27.551{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-20145-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368910Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:30.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F15935D69D603A55F69FA49596977A,SHA256=3BD76148574527D5FB61A37EEB9BAAFC0F8B9318BEA8B2732F749FA9E4B47158,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322732Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:27.665{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49929-false10.0.1.12-8000- 23542300x8000000000000000322731Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:30.178{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682AC454E1537D7C383DAF5B12A18824,SHA256=C88B9000C887737B3E98C4FF11CFE84D47B69C094215CE9D58EBBF30475949E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368909Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:30.497{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33BB72833818508BC9622E1CAA1ED557,SHA256=9FDF15D0B6D0E47D7E7EE7E108459EB4FB39AF8919B8BBE053F5BDC8F3774B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322730Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:30.163{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368912Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:31.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BAD60EE1B67E00E56F88292594130D,SHA256=76564F9EFAE3C5E9A69CD500269BC74606A591963F16CF9B6E7FF086C046B5B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322735Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:31.741{99D2EDAA-5AC0-619F-0D00-000000001002}7763272C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-0C00-000000001002}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322734Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:31.741{99D2EDAA-5AC0-619F-0D00-000000001002}7763272C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-0F00-000000001002}920C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322733Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:31.225{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8475239B6CAA446AC649EBF8E355DF2,SHA256=48223B627B5C862D55503E7F6E0F51C2BCD0A40AB01B104995FDD58E81427E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368915Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:32.778{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FB51D6198A19A39ABA37847EAED073F,SHA256=F18C9968FA698E29D6A088C9EC9606293C498BBDAEBDD6E48FBF2E4CAE4F1242,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368914Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.823{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-27602-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368913Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:32.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7DA47D2E0DC53DAEEAF134F4D8945C,SHA256=66F07A1BA1EDB747205B4400F622D87DB2BF0C7834D23989A1EE405FBFFBDE76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322737Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:29.696{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49930-false10.0.1.12-8089- 23542300x8000000000000000322736Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:32.241{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B690C9CDFF42C352002C3EFD12DF0E,SHA256=84851CBC15334004488C6014110177BAA41A90F1FD5804FB88C6C290F79BCBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368916Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:33.656{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E963A4ADC880667655EE588F046B368,SHA256=340CA3FE39680A99DE09D0B7FF92174DF5B5ADDFACF5A299572413215F5D3CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322738Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:33.256{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFB33C68642802FDEF8C28607A213F0,SHA256=D70355E57870C17CB618D4B1E62CB7A2F7784510C42B42C70D786CF08113BB5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368919Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:32.161{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-35163-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368918Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:34.669{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF802633B4A9E8C725F0D00D2A18900,SHA256=FF70B92CC0955256EC93BCD59BDCF4F22C6F937F242AF83560A193EE886EBD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322739Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:34.288{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8700C5A527A92C587C0C4DA60A476D,SHA256=AA40FA89FB10D5FB6E994AAFBE7CF6ECD7A7541DB806D966D9D514B147581877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368917Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:34.372{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=37501820DF7F1497AC6713FD1DF49098,SHA256=80312B321886C1B239575BFFBD41CCEBAAB1578330DEC87769AC6838422486EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368922Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:33.084{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58821-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368921Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:35.669{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D9A9CC6E3ED5A69BA2010F1EB80218,SHA256=2012EA84B9F4A4291BED8D505362DC019C26CF002EED4BE0C3F4BCC698F222FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322740Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:35.303{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71541D406386EB4ABF5C3820C3F6765F,SHA256=13CDA3E014D1A468BCDD5BAA24FF4A0CDF11FB9437BA06CAA7223222F75ED1B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368920Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:35.200{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7674557C1536FA4CE58065962FE181A9,SHA256=05BBAE8964AB163C073731171173696CE15D54E2C15FBC17A738625B180B2CD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368924Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:34.468{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-43626-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368923Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:36.669{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E919B31C7A1001D179743431D7FB40CE,SHA256=B5FF2A45C11BE9F2C5F03B414B2B77BC449891E3ABAD546FF4BD367437FBECB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322742Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:33.649{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49931-false10.0.1.12-8000- 23542300x8000000000000000322741Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:36.366{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68AC28B998FC0F87796B413234D8417F,SHA256=07DC81CE11AC4D7CEE52003E6C31CC41561A6EB07F42ED4A25AC1DEDA9C792B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368926Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:37.716{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC78F8FEB31AA651529D4190CFC80487,SHA256=920C16D998967367229ECC73274CC2D93BE5CC90BEF4B5823BF9FE4D6258C27B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368925Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:37.677{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9285154A4FBEFCBE350BD6BB548E744,SHA256=DFE4B6318CFBA655B642A1436FF5825E8A749830434948AF7B78C1C23491C74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322743Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:37.366{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79164F28C2B322DDD6347EDD99288658,SHA256=724976137EDA3CBF3BEB218500390AF22F4EDDD6A8C3D4713CDDE1EDB578B22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368927Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:38.685{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92E8D06DCB5B9ED756728639E3B47CC,SHA256=3F87A7D983F38D21466F1904D872D3F0DEE935FD914F3EBC6565570C213AEA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322744Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:38.366{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6893CA2DB988C8F3D9D419ADA323A4AE,SHA256=C5C0BA5E848292CE02205F352EC2FF5155FA316941802275F3565ED67A8BFA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368936Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.874{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A972AC2510EB9E41247FCD73D9321C7A,SHA256=75ED45B36A50EDA2FF48DA7AA5D9DAD99AF2BD4161F616E0D521688A27BFD582,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000368935Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368934Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368933Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368932Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368931Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368930Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368929Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000368928Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.686{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825DB2A5047770AFC50BDF35C59AF09D,SHA256=E2AD3D2A72F6BFC5E14663C289A7F15CF9B44DEA67F0087AF7EA0C3DDBB8067A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000322746Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:39.477{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x29240dfb) 23542300x8000000000000000322745Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:39.367{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDC1FDBC26200FD43DF86A8E9EA20DE,SHA256=46967631AAF39F5311907AC8979CA72D9BABED181815BBEAAB9DB74E4063FAF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368939Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:38.303{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58822-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000368938Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:37.051{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-52652-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368937Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:40.686{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3101E1F0EEF92C93E8CDEF62C2DE09E,SHA256=C33B5D54BF8530FB3D9F218516530B181062A396DD8603D0BBCD764F1BB5C70C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000322758Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000322757Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000f892c) 13241300x8000000000000000322756Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1da-0xc7e49241) 13241300x8000000000000000322755Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0x29a8fa41) 13241300x8000000000000000322754Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1eb-0x8b6d6241) 13241300x8000000000000000322753Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000322752Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000f892c) 13241300x8000000000000000322751Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1da-0xc7e49241) 13241300x8000000000000000322750Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0x29a8fa41) 13241300x8000000000000000322749Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1eb-0x8b6d6241) 354300x8000000000000000322748Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:38.681{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49932-false10.0.1.12-8000- 23542300x8000000000000000322747Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:40.383{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C26C728E6584B013FE0CE2190EDCBA,SHA256=14DDF17E3D8F14FB61C3D844190989BC3D1EEF9642586F8E140204EAF4B5EABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368941Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.154{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-1277-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368940Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:41.686{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99DDAE1ADFC2ABF98D43C9E8076E3513,SHA256=CBC230C58AFB80EA49EF7989B657EFEE40897F0B7CB713787AE795B74BE2D929,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322760Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:39.009{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-61.attackrange.local123ntpfalse40.119.148.38-123ntp 23542300x8000000000000000322759Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:41.399{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2245EABAFA6FD43D12CA40D4B3CBE016,SHA256=74C7DF0754C4829AE7D6785566D153F11FBBF4CC9913D95220BEF596D488F9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368943Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:42.686{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167FEA172E30573DD8DEFA5FB1B4BBA2,SHA256=A45B0F4003A6BEE9DFF3EAC47CA5DA27185FF8FF01EFD2A899C171445CFF074F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322761Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:42.399{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50032ADDB1143B44A2B081DD5DC6F9FA,SHA256=5F981CFFCBE156E08ED8EAFAB074FB231495624505532A185051C73FEFD028F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368942Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:42.436{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2970C5E2288821242297E98D3B9B006A,SHA256=CCE247C87118385183C1B713A0941BDE1AA2964225DEAED7A9037723D241EFA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368944Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:43.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4ED64C02A2A5BAB3ADB9CAD163D992,SHA256=E23AA608B7E4C182B0CBE34DFB5E3238A0D9AEE0405A07097F7DA2F36F16DAD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322775Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E8F-619F-0501-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322774Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322773Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322772Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322771Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322770Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322769Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322768Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322767Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322766Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322765Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5E8F-619F-0501-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322764Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E8F-619F-0501-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322763Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.868{99D2EDAA-5E8F-619F-0501-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322762Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.399{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2919B5016E3F1EDE1E647EC94308D0,SHA256=1461EEB007AEEAF3E9E0520E091F449DAA862C2FD23D83964A5BF6B721E3697F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368946Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:42.167{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-10129-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368945Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:44.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2410C7A07E5670D983D3437D880CEE60,SHA256=EEDEA6A20A16775F5A8168BEC48A28417AD8CA038635669F5AFFE4DBF5ACBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322776Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:44.430{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CAF63BDF332EFDD0DEE4D73894E7A9,SHA256=98D43C5D00F726AB4F529D9BDF0EF05166F73C4CD7567DA596BBDB114D03B6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368948Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:45.718{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C26721EC2E314138E6A6BB0B160558F,SHA256=1039BA84BB92362C50F5428479DECDC21A5C4415C7FAFF4D3E2BE86C80C62771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322793Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.477{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C89545C214DC821EF99582218EEF8E4,SHA256=0EFA0A8157AB17AE4EDF5AE9CCAE2A5C247A46707080A712C9462876C3895F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368947Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:45.343{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8194C7E70C2F58F4D2589A7BCF91C567,SHA256=DA6EF15962860C92C86F87E29D98FD8223382588075B537D15556288B553ADA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322792Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.305{99D2EDAA-5E91-619F-0601-000000001002}33282572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322791Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E91-619F-0601-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322790Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322789Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322788Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322787Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322786Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322785Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322784Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322783Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322782Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322781Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5E91-619F-0601-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322780Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E91-619F-0601-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322779Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5E91-619F-0601-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322778Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.071{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86BAABEDC107E17288D4FBCE19B6A328,SHA256=4D30C3FC37B3E2DF3EB98FD120D1E461F7D51997E63E73EFCEC792C6A66F2AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322777Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.071{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6137B7189057A3B97ECB074DF5BA24A0,SHA256=572E69844FB84E39560AF1B440CFC029BADF46D378DD2CC6E03B55F7C3F1B777,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368950Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:44.181{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368949Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:46.811{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33135FDF420BBBEA3739FA7884068952,SHA256=B62E4AF28AE0D49D469744575D6D558D980C1774DCF583077BA35E7A3D42D2CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322809Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.760{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49933-false10.0.1.12-8000- 23542300x8000000000000000322808Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.492{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4849F5CF17BAF41092D192EABF4ACE9F,SHA256=5CDBEE69B41C8145866E34F092C7A63B962D8DFFED652B1C285D0EA61EA81A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322807Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.180{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86BAABEDC107E17288D4FBCE19B6A328,SHA256=4D30C3FC37B3E2DF3EB98FD120D1E461F7D51997E63E73EFCEC792C6A66F2AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322806Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E92-619F-0701-000000001002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322805Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322804Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322803Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322802Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322801Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322800Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322799Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322798Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322797Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322796Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5E92-619F-0701-000000001002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322795Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E92-619F-0701-000000001002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322794Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5E92-619F-0701-000000001002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000368953Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:44.646{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-17920-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368952Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:47.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F1D2CCE66604F287C35FB9BB07EDED,SHA256=F9EF224FE51A23C73065109C7C335D73CFFC8F0031B3F7B2375BCF98BC1F0ADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322824Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.868{99D2EDAA-5E93-619F-0801-000000001002}6843132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322823Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E93-619F-0801-000000001002}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322822Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322821Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322820Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322819Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322818Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322817Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322816Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322815Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322814Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5E93-619F-0801-000000001002}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322813Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322812Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E93-619F-0801-000000001002}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322811Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5E93-619F-0801-000000001002}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322810Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.492{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2E07E439274CC7AA53EE38A0742431,SHA256=9AF67D90070EA4E16C3D572D33A5C26C7940D6625331EB426DAE26660118AC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368951Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:47.265{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7352668E4344D76EF0E8279C5F12E25,SHA256=14562C6CB39143A633267FA2F22774A2442A1E5AFD90B36A4B960D6D2991B418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368954Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:48.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A13A56642A3730866D3878183E087F,SHA256=331A70B4B0950950812EAD065184A8368E49ED5782FCB93D5488C5F72B160AC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322840Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.821{99D2EDAA-5E94-619F-0901-000000001002}37883364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322839Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E94-619F-0901-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322838Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322837Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322836Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322835Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322834Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322833Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322832Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322831Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322830Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322829Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5E94-619F-0901-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322828Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E94-619F-0901-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322827Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.634{99D2EDAA-5E94-619F-0901-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322826Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.617{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42BD67943C09F27A8130CED579889EE3,SHA256=1734AEB882D94C667CF3B6E43518F616274966E1F1F9B31E3B55A889C4431BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322825Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.492{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C4D97C4DCDB41B198340BFC372EEA1,SHA256=00FA9AE41AAD07A1E25C0A3E30B55FBAA8C300F7DAAB1795ABD78B645CABB2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322856Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.977{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=852BC720FA3BE5EB864627307A0DAC8B,SHA256=638061B88FC25E119EC989D347385F47AEE61143759AF4F9360893F20C983F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322855Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.977{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B28910A3C0F63C010D3BBC7A9CB8CE,SHA256=AAC7D224A36A59731786DDB2AE4030A7E17E1E0F73F90612C1C88B1E351D62B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322854Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.602{99D2EDAA-5E95-619F-0A01-000000001002}28842628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000368955Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:49.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0012E6A18E234D4A1E424776E4BE47D,SHA256=CCD63F6D298A12C932442A2A527CA75C163B6F29F43C0B9A337CFB073467FC69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322853Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E95-619F-0A01-000000001002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322852Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322851Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322850Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322849Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322848Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322847Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322846Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322845Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322844Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322843Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5E95-619F-0A01-000000001002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322842Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E95-619F-0A01-000000001002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322841Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5E95-619F-0A01-000000001002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000368961Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.968{27B459FE-5AC5-619F-1600-000000000F02}1288NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFfaa9e.TMPMD5=49B0042F3BC51E28EFEB859CA90E8111,SHA256=0FC01FE6DE4BE50A4543D18A46A15CB18800BB9E25174A9A66570CFD6420E9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368960Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.905{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABFCB48034094F69EF0F000AB71BF6B,SHA256=9D5B086B4EB4D89DB65DB4B036CB6225DB8AFA0B027C71A56CA88C9549820BE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322870Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E96-619F-0B01-000000001002}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322869Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322868Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322867Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322866Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322865Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322864Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322863Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322862Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322861Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322860Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5E96-619F-0B01-000000001002}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322859Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E96-619F-0B01-000000001002}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322858Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5E96-619F-0B01-000000001002}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322857Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.633{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37852C74162B926F1F055902BD616130,SHA256=B4CE663E513B4505BC8B0750AD17F26406E7ACB15FEAFA3559D00F0571B30CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368959Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.859{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B5870335E3DBB8BBCCD415BA36BE92C3,SHA256=FF37D3283D9674D8AC8D53E512A2240CA0225DDC7691157062A1A5CA19F69D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368958Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.859{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=20853A8A08CAC51A6D9FB86A880FF399,SHA256=AEDD8F41A35D4D82421B89CACC1277CE0215B89A981A17BBB185B10BF7BD6318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368957Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.812{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E158791F605C2DF6D3FDF6020EB72FF6,SHA256=E871AC008F114F2B470953EC8EAB40343E5D4E259FA4DD1EBF456273C6E0CED4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368956Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:47.027{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-24583-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368962Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:51.906{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1975FB0243276DCA7299E6E402E66327,SHA256=7D9920B6DA26BA5C5109F17D61D2F05DD0F0492EEAF91B3E9E639A409EF3D1DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322872Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.635{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49934-false10.0.1.12-8000- 23542300x8000000000000000322871Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:51.633{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CA33866ACCD3541EFD613567078ABE,SHA256=B6AA31360987FB67B393F9613965776B42BB0C0242970DD24CC07B97CF280FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368964Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:52.921{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47DAD7652D7BBC24A8BA6858E6A51E4,SHA256=CC36401FC391573832E714815B07AA670991CADAECE9398B21E4B7D1F357C37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322874Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:52.633{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB61C526BF8975074A0D052962B54DDA,SHA256=A327FDDCA60D3AD520D56DC71EE95145DFA4C46D6CC7A815F156D4B9B24EC9B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368963Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:52.405{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B5870335E3DBB8BBCCD415BA36BE92C3,SHA256=FF37D3283D9674D8AC8D53E512A2240CA0225DDC7691157062A1A5CA19F69D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322873Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:52.055{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A58D9B99E3310662F9AF674888F3BDDD,SHA256=C8BD27A46B5807668758FF2B894CEC229C6E0BC2559C5AC84B4F21C1FB2AA9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368968Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:53.921{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E6A140EB340520FE469BD883EF5728,SHA256=ED9A01A6C21EF188D602726B308902B1386658C9069F98BFB742D37CAB301203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322875Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:53.649{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CB384CF25A6B755227ECFE7A1B0379,SHA256=65520861C0A9B9ECF81BF8C1E43F4F74A51D88A9EFDDB06B215E385E11258F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368967Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:53.859{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B74793CC112E037C70570E7CDB354063,SHA256=79D9B4439C1492673C154E059B975305E8F6011B8D62949CE5E25E59F0F5B035,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368966Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.747{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-35728-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000368965Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.057{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368969Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:54.952{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A794EB4927F145743E50DB095BACC72,SHA256=A97CA65B862D7E449390D920924F99A1B8EFE4BB754BCB4A16A530A2F0CE05C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322876Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:54.664{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904AA2DEC024B8E4A4C0C25C68C79B12,SHA256=7CD2C593788FE2582FE2DD1FF8E2FE9DD7BF5563C9BE309254CE298909152E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368970Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:55.952{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280382BDA72691FAA2E5A63142D48381,SHA256=8D815C64277E8BB3A5DB176C9A018475DE7EABB60E6A3B80E39558E472C1F899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322878Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:55.668{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F438EA7B80B8F09D5CB3BAE5DE75B29,SHA256=1F89EF471649FEA9B4114F7F701CB54D418AB21D1D4D44A40D9D3B29E59EA5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322877Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:55.451{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-015MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368971Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:56.968{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F351BEC5C3448D189EEB8E9CD4C1E78A,SHA256=5AD0C2FBCF52EEE65AFFEA77EEBEBA9D7FFC4D0430951F6241A08FFE5EB06860,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322881Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:54.716{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49935-false10.0.1.12-8000- 23542300x8000000000000000322880Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:56.682{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B5AAB9896D6C8D10589F1E0484BE08,SHA256=F436D1716E38FB0F02C22A5DC9A904B378A95EBE50AD256D30B35F4879C1CBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322879Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:56.450{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322882Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:57.716{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22E44CE03F45DEDA8C9EC28D25C3928,SHA256=09DE5FBE37191737D43813989E41482B280D31F2B360B3EBE8AA0FD0D8395278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000368975Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:57.437{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368974Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:57.437{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2B00-000000000F02}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000368973Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:53.475{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-45157-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368972Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:57.046{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DD3131EA63621D54E665DDA60796130,SHA256=BE9385DB273094575E6F70B4747F5E9CA5219C526672C0327B2FB33C3D38A7A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322883Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:58.763{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C83FFA718B82BF2D410E5D5F5A74EE,SHA256=B9BF05B8CB2D30A11289657CF3A4BC4982F2475BDA3BF0A59CAA0EE0DCEE15FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368977Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:58.173{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFD4795807A43C24EEA5EF5893EB866,SHA256=CC3D1CC532CCA2A2E2466D221415C64C60B0B3FE44AB5606120B85A130446538,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368976Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:55.226{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58825-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000322884Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:59.807{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5E0FCB7967707F9AD8FAC8E3EBA022,SHA256=84E2D21258BB887E14BD6A648A88E15CEBB2469F3D95E59C35AAB423BB0DFE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368980Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:59.892{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCC2312721A6F667A0CC271922A04E2C,SHA256=9598C93C286BE9AF8133951F81AFB59676DF3F9DD22F6793208ADD21D5B22F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368979Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:59.202{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F2DDA793A3816EAF2A4E569909B35A,SHA256=54D9EFD786479709BB47F8704BD72F14B9B12E6115A01FEFC1EDEE47BA53B5A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368978Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:56.408{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-55258-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000322885Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:00.870{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FA16B9010971CED4B1516A2C1067CD,SHA256=D624CF349518C4694885B7DBCBE9B8EE2F6DF832706843466FB53C035F45E6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368981Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:00.220{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2A2393DA52C779D52B8EDB906DDEDB,SHA256=B021EBC1917A397E7A12FBB09268D5CCCC080F423F9A02A4D5BC574B4CDD00A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322886Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:01.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947649622F55066F8E847230EB75DAC0,SHA256=DAE317BA9D1BDC3ACC2A4DAF31C18E690567DCE2A70182630B5C15AA75773B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368982Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:01.220{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93138BFBBD93FE73186FAE4A39A3162C,SHA256=71F04F0BCD4D4057E8355FD59318643FB70DE758C3466E682D0A3AB8FD624E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322887Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:02.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E2CF063AE51403507008248CBBD728,SHA256=1DBB7C314B5499848B6E92615202EADE98C123DBE7BF04786CAE307675120E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368985Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:02.220{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0D08AB2535955E1015FE3F2B3FE781,SHA256=14B1FAEF4DFBD113A4BF74C838CF8A7AAFD45D80BC1B13FFE3AEDFF5298C5509,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368984Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:59.244{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-5575-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368983Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:02.017{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=926D174E9B47FBAC4B1064B6F2F0D483,SHA256=668F38495496A446A20092AD779F83336A169188E48C5834620F0BC5A2FCAE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322889Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:03.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D85C55DFE8A0B92AACA620911C1ED52,SHA256=A52296727B8F349DF3CDA94A074B4AC85240B800C22ED751CED8FD9799A57B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368986Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:03.253{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0EFECBA3F25AD6DDDACBD6D0042363,SHA256=E7848F802E5869E693F4753C54E39A33A642D9452513888794D8712097EF8C4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322888Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:59.793{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49936-false10.0.1.12-8000- 10341000x8000000000000000368998Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA4-619F-3C01-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368997Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368996Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368995Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368994Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368993Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EA4-619F-3C01-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000368992Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA4-619F-3C01-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000368991Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.471{27B459FE-5EA4-619F-3C01-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000368990Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.329{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1C6428EEDBB90B6141AE79FE7200FA5,SHA256=AE24DB82B73D91955B065A5663FCBE3A951847D103E67041E637BC15CFBFE81C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368989Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:01.474{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-13297-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000368988Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:01.181{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58826-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368987Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.267{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2857A54814A41C6723C6FA9099FA87A,SHA256=370D40F20F191A57CE534F6AC22C66A058DE6CBB09D4849DC86E53F32C3D082B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322890Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:04.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD29D34C5A44DE398EA60EB1AFB3E3E,SHA256=BB4F159436A3F5BF5E613167F587B3235A7A2D8BF8F3B4BF2128020E7E917E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322891Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:05.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6988C44C052003502EB254CB1C5BE37,SHA256=B0C4B38B1AAD7E71F836E40814B494E1B2754AD197B156BAAB423272961FB810,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369010Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA5-619F-3D01-000000000F02}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369009Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369008Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369007Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369006Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369005Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5EA5-619F-3D01-000000000F02}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369004Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA5-619F-3D01-000000000F02}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369003Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.552{27B459FE-5EA5-619F-3D01-000000000F02}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369002Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.501{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9895B882A55110F65E237833C5B0E80B,SHA256=D7BBB3C244316A6D521689C4B820862E035535E247C3FE9A93B39C39CA19B961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369001Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.360{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085CB614E73EFE92AF6E7F325746E8AB,SHA256=AE5E4B9AE3FB74068F6EBBC3CE72360A83B8E1B47D164E17203323CB249B6D1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369000Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:02.556{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58827-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000368999Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:02.556{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58827-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 23542300x8000000000000000322892Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:06.932{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEDEC7387B8CE573537A5824D1AE4A1,SHA256=79671F075DF6635B7738EA0E637D22D86A015741A8362E854D8A76D80A7A3E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369013Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.579{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBC57CD72DCC57F3D399539EB9D145F,SHA256=C73B64031C2551D1E46FD8B85632DE94C0368AB66313AD21B0F858817FC84348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369012Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.548{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=637E1BB74BE684FAE8341755F8077FE7,SHA256=82EE31FE7B1BCDA1FAA47068464FE19BF0239857AB31DA0FA35834385B982138,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369011Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.173{27B459FE-5EA5-619F-3D01-000000000F02}53004036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322893Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:07.948{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09A1E98767EA542FE3C899F1CE16DDA,SHA256=68761A8DEB43883C5EA281CEB501E3AF3AC83090AF5D2AF31B0D61A767594354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369024Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.642{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F58B70B88A271394E503212E6B63AB5,SHA256=C8655144D1528351CA5FE851FC6DBCA63CEDC6D69DAC827DE7DCEB073D6019E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369023Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.642{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6A586F7CC239B83964DAECC25C0B9B1,SHA256=0AFF67995F82C02CCD9C138368350489A423D59E759CA854F7E5972ED9AB29F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369022Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:03.762{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-21374-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 10341000x8000000000000000369021Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.036{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369020Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369019Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.036{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA6-619F-3E01-000000000F02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369018Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369017Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369016Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5EA6-619F-3E01-000000000F02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369015Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA6-619F-3E01-000000000F02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369014Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.565{27B459FE-5EA6-619F-3E01-000000000F02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000369034Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.986{27B459FE-5EA8-619F-3F01-000000000F02}13124900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369033Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.736{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA8-619F-3F01-000000000F02}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369032Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369031Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369030Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369029Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369028Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EA8-619F-3F01-000000000F02}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369027Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA8-619F-3F01-000000000F02}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369026Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.549{27B459FE-5EA8-619F-3F01-000000000F02}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369025Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.673{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218E80E49FC38B83BACDED9072D64D3C,SHA256=DA7D7BBECD732FA94EC233D727F968E0FF29AF2AF3147A5A0F3DB95033B6C58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322895Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:08.963{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF900357F8A05ED2CCED9FC03C9F527,SHA256=F907D8BB44863A052A37DF5BB48F3AA00A4E396A1CD6A3630D800810AA54C11D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322894Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:05.809{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49937-false10.0.1.12-8000- 23542300x8000000000000000322896Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:09.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DB667DCD3E12A72ECE88915CE3EB09,SHA256=7A258832922328101C87F683C203AE1478D0CA661C16F5C2CB4405F97B978AEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369047Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.861{27B459FE-5EA9-619F-4001-000000000F02}52885324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369046Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.689{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CA70D68FE3F3201889619C9BDB96E7,SHA256=3BB14BD34C885B8C4741AA7F2EDF41CAD2AC9E160A454795A73895D23A6B4841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369045Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.564{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1BD547E179E2BF47314A0A8EACFA082,SHA256=4FC2EB7625ADD16641184AD055B6A1DF1896DDFA0FDD1CE6601D4352D2543B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369044Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA9-619F-4001-000000000F02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369043Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369042Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369041Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369040Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369039Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5EA9-619F-4001-000000000F02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369038Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA9-619F-4001-000000000F02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369037Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.440{27B459FE-5EA9-619F-4001-000000000F02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000369036Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.292{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58828-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369035Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.132{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-29311-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000322897Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:10.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8B579F3A90620AB3DA3D9093DE0D62,SHA256=DA81E181C86F2F4163DD030571232960F8F723A2CA057442E9F5B3BFC6EA3B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369057Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.704{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054B20098A02886D6C1D416C3BF0062A,SHA256=2BF1D3E8E7D3F65191C77460E77CC7B8356BE1A458B44831F1AE553BD4FAFC67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369056Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.642{27B459FE-5EAA-619F-4101-000000000F02}43444424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369055Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EAA-619F-4101-000000000F02}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369054Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EAA-619F-4101-000000000F02}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369053Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369052Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369051Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369050Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369049Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EAA-619F-4101-000000000F02}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369048Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.331{27B459FE-5EAA-619F-4101-000000000F02}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322898Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:11.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA9576AC5377867E53CEB632E297ADF,SHA256=4A36761E5FDD082099FD57D2393F4619049A5D01BA9C406773E43E17DC5EBA79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369059Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:11.736{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAE14D389021799BC9493F15FCE5A6C,SHA256=218E068525B5C4EF9FC57841864C54812EFC99B2447C526F0321E12639111646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369058Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:11.345{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B04AAB04CADB6C6A551B481E2EEF4E2A,SHA256=84BA08A3DA6A6ED2129E470FCF68036D523731535E5E1B334FBE520CCAC19B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369070Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.783{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB5C06538B0242F197EF7EACF0E04DB5,SHA256=F17E432824C43075CA206C8801779AD67E0072BE84A46ACA44F2BA330DEFB35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369069Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.736{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4ADA415CE64B6F87DB5042E57E3E41,SHA256=14CEF4C42D71A677B6DF9E0788D852D202B540C54C6B7397DEEEC716A603F4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322899Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:12.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2CAB3C5170AF8AF03D02ECF1EEC57B,SHA256=D2BC2FFC42D6CA2E0C9BA53468F1A1E189E538A34132292548BA8FAEF98A64AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369068Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.171{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-39932-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 10341000x8000000000000000369067Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EAC-619F-4201-000000000F02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369066Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369065Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369064Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369063Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369062Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EAC-619F-4201-000000000F02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369061Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EAC-619F-4201-000000000F02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369060Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.096{27B459FE-5EAC-619F-4201-000000000F02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369071Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:13.751{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7883932A533D67635571CE73ADB7CA16,SHA256=B1688BD019101D4B29FBFF941DB1B4CDB86DE2D15F103425CDCE3A060946B2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322900Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:13.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DFA42009EC46F7E80E80797B6257F8,SHA256=3B61418A0A1BA578AAE7235C4DA1D6326D3351A4000C44A7A990ED79B76B1131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369075Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:14.876{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2924B8A080075AC2A2EAC5F6DFE0AF51,SHA256=B29DC8A6A01861AB0764611CB33D66191FBE9594969E467553C7B5259C8816EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322902Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:14.995{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B5384F915FD87FD82243FCFC7891D6,SHA256=E987CAF7DBF18FC7EBE35F168C20068FD5BBFF46C0DA0678F22C18931B2A6769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369074Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:14.580{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369073Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.129{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-50516-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000369072Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.119{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58829-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000322901Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:11.684{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49938-false10.0.1.12-8000- 23542300x8000000000000000369078Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:15.885{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A8C7735005794EFC9ADF16DF53A028,SHA256=75888480D8D6E56021D1C51541D6D941180DA2534B0BB84B581F445EF0F02619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369077Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:15.590{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-015MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369076Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:15.226{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5149B60EA15F6A124AD6B3A0E5300847,SHA256=75E8AB68CCD7F0A1DB012D1B1368F3BED2F65D703826724B5F36E7D254DC98D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369081Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:16.946{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8DE0C65D51B6C78CA33C498A697EB7,SHA256=898E7263EE2226738B22276EC35BCFE5C362C41FF2A9D850FE0E262EE9FD9513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322903Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:16.010{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A737A0C6934FF05D8BDF477823B5D4,SHA256=30AE54A6BE74B5A0828FF3E5CBF2AB093668E4BC0E0901077EEB063DD37DD5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369080Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:16.573{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369079Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:13.603{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58830-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000369084Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:17.951{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7952769F64A26FCB5FB214CF29D46A3C,SHA256=8E1C33B80CAB274DB768F13A189667FD9850C9520D9CD15969AAC3F893B957D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369083Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:17.560{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B40D4A40738CE646CCE2CC6380F11D8,SHA256=9545D1ED1F0C928204508C98B0732953EB215F18101104340D70869F9FEAFB0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369082Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:14.506{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-58552-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000322904Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:17.010{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B39046AFBB1F52CE2CA9742082C8FD,SHA256=D9E14C56A1B068F8FE6C529AB10BECA618C477543C5A0F7CEB8AE5B0CAC2A465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369085Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:18.951{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7782071E1A2BEF4ADACD1962667AE310,SHA256=AC1482D0257C244DBE6B58AF6894F2743D5ACB0ED1467E5C278F450EC006A658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322905Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:18.010{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B858D2CE4A18FF78E43ADA0694A63F,SHA256=CBC59AA3100755515A8EBA539DD1163F191799274A0B0064BFE0EB8D1C432926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369086Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:19.966{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508DC6620C6AFCF576EA6A65E99983C1,SHA256=CBE316F721AC88273DF1CF19901A9AB4773D00AA8D1E011CCF90E93B94A25F10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322908Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:17.591{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49939-false10.0.1.12-8000- 13241300x8000000000000000322907Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:00:19.506{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x41000776) 23542300x8000000000000000322906Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:19.010{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A6C9FD6DF8E873734053EB828CA55A,SHA256=09A0D2C13EC64B44D60AEB3B21833A111A748D0DCA8135FCAD816AA3C2191BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369091Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:20.984{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA063F94991778BCA673FE199AD31E8,SHA256=08381F12D630FD813771E948D438E2CC9F3CA404EECEFB3FDBBB1C5647CAE5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322909Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:20.022{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E19045F5B4A9F25B39BD2059C3AD657,SHA256=A99AB3BF0BF1ACB0E39CAFFD735A601AC50EC4D4F9F447065FF683DD4AE907C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369090Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:17.165{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58831-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369089Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:17.077{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-8457-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000369088Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:16.839{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-266.attackrange.local138netbios-dgm 354300x8000000000000000369087Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:16.839{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-266.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000322910Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:21.037{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0F93A25CEC5A59B69B5A563837969D,SHA256=063345F2E8ECB862304D9C33788961B5E11DEB40D3E3D8CEAB184B214C4465E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369093Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:21.326{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E307067EDE6FA6654C67C817F475C87,SHA256=1A82C3D994950B80C38FE50804E408B2B7087FE2F1A905DE6E082AAA3A2AC3F0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000369092Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:00:21.247{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x4209cec8) 23542300x8000000000000000322911Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:22.053{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4AE5D39C881F7C38771D7671DC3294,SHA256=21F4374F367ECBCB16CF08768F3D997913C9A3FBD347955DF7CE44CD1EC1DDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369094Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:21.998{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E2FA96AF6BB71A80374AC272368CE6,SHA256=089A9F22437BCC4C235703D1C3F97498EFFBC6B25AEF8AF6AF277F367FE0F3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322912Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:23.068{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4774A25B6EEFD8254FADC2C16302ACE1,SHA256=01ADC8E72FEB7781936FD4E03BFF3F6E8ED52DD639591120E1C29BCE474CF972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369147Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.982{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxnmsg.dllMD5=6D4200720B659B72D790526B09FEDFF4,SHA256=66C3CD0325D717523BFD14EAB1CFBE13F614BA753AB125FD734747ACB27EE9CF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369146Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.sysMD5=060959F9BE8EAEACB47255658A7018CB,SHA256=6EC9C4CEC786FF06EA2D6F547798FAE4E255662219FD5536D5FAC7B6108B729F,IMPHASH=5A9046C211055D28BF0892E100F10D44truetrue 23542300x8000000000000000369145Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.PNFMD5=76ECEA82F53EF95A76B2207ABDD1FC97,SHA256=C2730843E1517FDEECD302D93FC7D629A42C4FE9060F6FCA37A7085759907571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369144Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.infMD5=1B69FDC8CCD34B8B3743C8A97C2E90AD,SHA256=83CCF811C2F2F9F8337270D5AF00AE41E76F8BE3E83B1B46A9494A350BC4C142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369143Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.dinMD5=E3142F1ED12D1F1D6574C564FEF14A7F,SHA256=A220E8A7BF2233813DE1EAFD17A075C3B4E071B52E48D9EE17FFA199527A1F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369142Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.catMD5=760F99775B12D3C68FAC49268C261656,SHA256=FDB58B626E4F572F8257D70CA888CC8F2E35B770329FAAADF9BB56C6456C4AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369141Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\NicInVXN.dllMD5=C8AFAA519298C27D145550F2D57B4F94,SHA256=A92B47A8D57DFBAC758E713EB6A62A5969E4EF00DE3463C1179A8133D0A7D620,IMPHASH=913216F349C3C30723EACBE7EFAC0752truetrue 23542300x8000000000000000369140Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.951{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\NicCo4.dllMD5=0BD0040999429E77C02912F052B4A8DC,SHA256=C0109B670B60721665D62C9677B6A816009E7421C341B31DE7B2B76E357694B6,IMPHASH=5A14127160FF1090472EFBA582E1C28Btruetrue 23542300x8000000000000000369139Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.919{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem14.PNFMD5=0156163A3E5B27D5B84D08294B841F19,SHA256=09AF0C75866CB65DD6BD0295651724B1EDB3E8D5947A2C71A451890B3857BF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369138Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.904{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem14.infMD5=1B69FDC8CCD34B8B3743C8A97C2E90AD,SHA256=83CCF811C2F2F9F8337270D5AF00AE41E76F8BE3E83B1B46A9494A350BC4C142,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369137Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.904{27B459FE-5EB7-619F-4501-000000000F02}1964C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2021-11-25 10:00:23.701 10341000x8000000000000000369136Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5EB7-619F-4501-000000000F02}19645924C:\Windows\system32\DrvInst.exe{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369135Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369134Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369133Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369132Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369131Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EB7-619F-4501-000000000F02}1964C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369130Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EB7-619F-4501-000000000F02}1964C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\umpnpmgr.dll+b0b2|c:\windows\system32\umpnpmgr.dll+9f88|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369129Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.896{27B459FE-5EB7-619F-4501-000000000F02}1964C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "5" "0" "C:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.inf" "0" "484ad2367" "0000000000000BB8" "WinSta0\Default"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000369128Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.873{27B459FE-5EB7-619F-4401-000000000F02}5884NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\null_hecisystem.PNFMD5=B15D63802FF9708FFE41993E7158DAEA,SHA256=3FF15732BD811BDFAD0A25C2BF4B2ACA3650A835BF97E95A034336498B702E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369127Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.873{27B459FE-5EB7-619F-4401-000000000F02}5884NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\NULL_HECISystem.infMD5=9BE07E097B29209B5691B485F326B6C1,SHA256=ED89E7D2E5399834E6666ABA7770EDB3CFEFEB9D212951596C58E655CCE909A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369126Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.873{27B459FE-5EB7-619F-4401-000000000F02}5884NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\NULL_HECI.catMD5=21B9B34047D9F75857F25B19F48B21ED,SHA256=E1BFDF4EDC1AEA9B94D3CC1F531A4BFAD96743900ABE8FDBDD5FEC95C863C08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369125Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.810{27B459FE-5EB7-619F-4401-000000000F02}5884NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem10.infMD5=9BE07E097B29209B5691B485F326B6C1,SHA256=ED89E7D2E5399834E6666ABA7770EDB3CFEFEB9D212951596C58E655CCE909A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369124Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5EB7-619F-4401-000000000F02}5884C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2021-11-25 10:00:23.701 10341000x8000000000000000369123Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5EB7-619F-4401-000000000F02}58845668C:\Windows\system32\DrvInst.exe{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369122Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369121Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369120Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369119Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369118Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5EB7-619F-4401-000000000F02}5884C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369117Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EB7-619F-4401-000000000F02}5884C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\umpnpmgr.dll+b0b2|c:\windows\system32\umpnpmgr.dll+9f88|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369116Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.797{27B459FE-5EB7-619F-4401-000000000F02}5884C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "5" "0" "C:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\null_hecisystem.inf" "0" "4deebfe63" "0000000000000B1C" "WinSta0\Default"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000369115Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.779{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxnmsg.dllMD5=C4FD6144854107881753962266C11543,SHA256=AB9445DA45C287F09C5BE90EEAB1C2ED7B97982A34949C45DA407F390FACBDB3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369114Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.779{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.sysMD5=AF4E936C49B994EF0A141789C2290A16,SHA256=00D327607BF7D7695AE9A6EB94CB34BC1D8828E834F72D61D2748EFF2B3C5BAA,IMPHASH=E2B74CDB105BD582CF5327E3935D9693truetrue 23542300x8000000000000000369113Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.PNFMD5=94A7A207CDB8652E8A64430AA29827D4,SHA256=7200638615D6DD13BA60ABD2583A912D419E352352971324022C07D822C438B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369112Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.infMD5=199ACC11483A48E8BA7B02842AC2BE15,SHA256=9F3558265B484A5239797B4052E420237A40BCA34D1BE108EA9DD7E462FC6F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369111Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.dinMD5=63E4A99BED8B4322CE1A9692E675A125,SHA256=33D07248FDAB322DAC2B1AD7B01269C57BB6A4148191B9D6CABF5BF6C41742A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369110Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.catMD5=6630B6384092EA07EA6444D817194465,SHA256=C9D99D973DBFB23C0EF1B517C27EDA94477D7E5E94A616C20266D344E892E6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369109Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\NicInVXN.dllMD5=8697E77D522CCA7412460E377FBD7438,SHA256=B98871E10F6FA38FB6D8D4270085BF06396300B228D5885419453FA0C6395678,IMPHASH=ADC7B716DB197BAC9AE69CFC2A7017D8truetrue 23542300x8000000000000000369108Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\NicCo36.dllMD5=4AA441F4AD7491BDB2162F87A1DA6A3A,SHA256=56954C185A7D8CCD391C08FA998B59B13765688CD53BBCFC56E4FE2079B5E4BB,IMPHASH=DD763F8C38ECDB2B8D750E0941DC51EFtruetrue 23542300x8000000000000000369107Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.701{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem3.infMD5=199ACC11483A48E8BA7B02842AC2BE15,SHA256=9F3558265B484A5239797B4052E420237A40BCA34D1BE108EA9DD7E462FC6F11,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369106Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.701{27B459FE-5EB7-619F-4301-000000000F02}5804C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2021-11-25 10:00:23.701 10341000x8000000000000000369105Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5EB7-619F-4301-000000000F02}58042700C:\Windows\system32\DrvInst.exe{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369104Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369103Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369102Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369101Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369100Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5EB7-619F-4301-000000000F02}5804C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369099Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.669{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EB7-619F-4301-000000000F02}5804C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\umpnpmgr.dll+b0b2|c:\windows\system32\umpnpmgr.dll+9f88|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+29cc|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369098Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.679{27B459FE-5EB7-619F-4301-000000000F02}5804C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "5" "0" "C:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.inf" "0" "48643ea57" "0000000000000BB4" "WinSta0\Default"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 354300x8000000000000000369097Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:20.551{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-20315-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369096Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.482{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E11FD8911627519E0BB09AEA6084E5,SHA256=A60A8F802D087D06DBD17EA2C423B876A6A1AFA5484E791A8C378F010C01D0AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369095Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.013{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D734865D710A3E6235E8DEA90065D08,SHA256=2182179FC2086E812464D0E5488CFC311AAF90C39808C9D29A869794983ACF0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322914Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:22.790{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49940-false10.0.1.12-8000- 23542300x8000000000000000322913Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:24.100{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1489E6AAC6759855815F0A85E3863C35,SHA256=D9B0530247D31451BC32F61292B6ADEFFCC49421A3A3CD12CA220BE24F78066E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369151Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:24.826{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2C3EB7656A59093CD9A4F1DB2FDF8590,SHA256=2D4BD16108169ADC4FF0C6648744897E5904875EC8D4F227E8BC5F2393AE04F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369150Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:24.826{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B9A54C9055F808A2379E7C79ACD33287,SHA256=B138268C35AD1242C9C69A25F084D8AC4A338A0D2CA1A85FBDE5AB3534E6AA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369149Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:24.779{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEAEA411A38437CB419DEDF415521376,SHA256=28C3B0D11AF60381DF9D301D150DE86E4487E9B3C5D417975124D7A43CB6DCD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369148Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:24.154{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133B1FB6C6D6D6C79537CBE3CBFC0969,SHA256=5EDCE3795928CF21D60E0D150829CFEAD2E8442D66F2077FA90CF808A0702945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369152Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:25.169{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07E52DA0CED7D54A4020D999C078520,SHA256=005ADAF5C166B8A2B28D02C6E368987BD9DA6545D899B7770B3F313B49074ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322915Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:25.131{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93998F2A1CF95E131B75A2EA5F46FEF2,SHA256=30E6534C779D7650FAE2C572892037F89158883827BAE6ABD47040C384DAFFE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369156Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.119{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-28279-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000369155Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.101{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58832-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369154Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:26.201{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6833F060C31F01AB4AA184474EC20D76,SHA256=8C6EA38C3D198D9115DFA7C626E5A7F43EAD1BE64B7F093DBE155B517A3FBFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322916Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:26.147{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79017BA536CAD7048D176F0FFE5EEE4E,SHA256=A8A4FE2E9BB0CFD22648A7DD03ED086F6B4F7D8A47C75E0B7F9D303DBFE30E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369153Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:26.044{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A103C4A4D7F91875229BCF2B8BD61DCF,SHA256=31463FE12C475BAB9F84FAF5D88548AEB092068AF360B5691F8CD621B943E779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369157Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:27.248{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54796F320AF3171AEEBDF43E883962D,SHA256=D2679DC18E8CC228B65E3C031DB240B853224A9A56A57E8D4B91BD17CFFC528B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322917Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:27.178{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBB0717AAADA88E9358A25EF3E9DEBA,SHA256=9313CB26B3A1ED771BC899E3F47AE876814179C1DABBDDA2E4DAE749B72277FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322918Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:28.194{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203A0BBE2D9C8E40547588E0839AB9FB,SHA256=8632F531D23E78799A1798E041B259D6E67C42A3C98694077ABEA763FB0A08F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369159Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:25.479{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-35909-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369158Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:28.248{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA8E811CBC7FD63DEFDE3B4EE9D8913,SHA256=430DB32A46DBEBB28F620347FD72CD57D10793AF69845032D8D5FED0DB43CE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369306Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.451{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\WimProvider.dllMD5=1B0C7DFB2240BA004B37904073624DB3,SHA256=F2C7DB522DDE968EDF49B03BC10978AAC4C42C745CA4A474627E8CEBBCEBB00A,IMPHASH=20D31D66F56B810094B1AA564C92009Dtruetrue 23542300x8000000000000000369305Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.435{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\VhdProvider.dllMD5=F37C8F5BF852151D9BF085687A8DEC6D,SHA256=6CDFC95C2F2ED3695D5EE8CF4367A6C7FB5707DA3C234CEE8FA8C1BBDE426DE7,IMPHASH=3CA997A1A0BD38B850B18DAED5E948DEtruetrue 23542300x8000000000000000369304Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.435{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\UnattendProvider.dllMD5=3DB4777B76FC1973A61754FAEC348981,SHA256=29A4C7379E5A0A7532C90B5ACE0DD99AB5311D03CC0BA6A4BCFB410D7D8B01AE,IMPHASH=4FA75E8720452554D61C8AC5FD64C43Ftruetrue 23542300x8000000000000000369303Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.373{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\TransmogProvider.dllMD5=5E82E2B7CFF045C7CDA8E33EAB186402,SHA256=0038B82E999C3DEF3980D39A8CAED9EA6B52A4FC9EF58BF3B3F5FC91F7748112,IMPHASH=7746C0E3C7D3763C5F13C90D4934087Btruetrue 23542300x8000000000000000369302Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.373{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9E2E02612A14BEA2ED78ABB5C531326,SHA256=0907C76440B4A1E08BEDC9477C687F4A29C36EF3B69E3B1EEE2E70A09C660619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369301Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.373{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\SmiProvider.dllMD5=C5C7A9E3121B91E51ECFBA6FB2985044,SHA256=FB519B9EEF4C3344D58C768BD3AD7ADCB0677EA7B998056B6A13620CB9E61412,IMPHASH=03C38376DA7CCE75E82EECACADA0EA03truetrue 23542300x8000000000000000369300Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.357{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\ProvProvider.dllMD5=5077063311C5708318C5FA3E255011ED,SHA256=97FA95102B6ACF00C70F140EE9FA4A73A6BE7C03E0F0D99AE58DB5E492CD0ECA,IMPHASH=D8DD764BFC0F1D9E403714D169018B83truetrue 23542300x8000000000000000369299Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.357{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5AB2892746199C7A29C2B892EE5746,SHA256=AF2392A935957515F9F9496F43A4C84E1315D1F02A938652E127A2A69C2A1E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369298Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.357{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\OSProvider.dllMD5=4868187A2F176074DB7F35E356F74D4F,SHA256=84C8C4C67C808871A278254304D985533F67D44391840F43674FC829014E1B60,IMPHASH=82A4D833A82D441391A9AA3027199337truetrue 23542300x8000000000000000369297Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.341{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A733379D41E38FCFA953E44EC7DCA4,SHA256=99DE77809B20E3282DFE76DFE3D0D3A05476AF9C284667B7F2A6C1D402591167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369296Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.341{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\OfflineSetupProvider.dllMD5=86B7E8438B1125C479FD275B1BDDB9A7,SHA256=47FAF8671B25A30D7BCC47AD35926D70DB633A181FA6C276479B4408A526E63E,IMPHASH=B8B4A188EFC4F12D33591C6D319B6F12truetrue 23542300x8000000000000000369295Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.326{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\MsiProvider.dllMD5=EA19239A85416A488360FA564D312402,SHA256=F21591336CD1A24EE941827620405FA34414C1C349216B4B8083ECD1FFF17C29,IMPHASH=33E1132923056DDEFB0521726DA5B987truetrue 23542300x8000000000000000369294Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.326{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\LogProvider.dllMD5=F7DB4F104DBB56DF5A156E7329E80112,SHA256=7C67EFAF44D1413576B4575B1A4C975BCB10B64BEF13E6756E895D4DB9E61AA2,IMPHASH=FB695172E8A76C56E97CE435F8ED0220truetrue 23542300x8000000000000000369293Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.326{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\IntlProvider.dllMD5=0082903881275179642AE83EFA720310,SHA256=7CCF1625E6FBE4DB16F12AC037E4236A3EF269DEE47A157C68374C867941F9E8,IMPHASH=CFB81BC5FF922F23D605A653700FE666truetrue 23542300x8000000000000000369292Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.326{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\ImagingProvider.dllMD5=EEB4AA36BAD26A2C6216A1FF3439B58C,SHA256=44A6679425039DC870C297294C4B3323F6FA9DE5C7D16D7D0AB7E1254AFC75D3,IMPHASH=0264D9B4BFE54732ADF0E29BC73BF280truetrue 23542300x8000000000000000369291Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.310{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\IBSProvider.dllMD5=11DE34FCDB75E79A920D3B491F3E7BF0,SHA256=6B7C7AD8B1AD522B27B2CC5E4F76F56ADE4495D7D46CE4F997A68954F072AF17,IMPHASH=C755896FA14213058E34639A28868FBCtruetrue 23542300x8000000000000000369290Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.310{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\GenericProvider.dllMD5=397ED660129D40927A27B75A4B8FAE2E,SHA256=EAFCECFE911DABB4531E1331DDF2E119DCBB6B7A887D70BDE737EA76BE10EB74,IMPHASH=F55EE75573C110804DE5E50ACEEC1B06truetrue 23542300x8000000000000000369289Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.310{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\FolderProvider.dllMD5=6428B4D0C26DB23E9478F039891CD5C9,SHA256=55126BB099785C2F9CD32A30991082C47D62C8231D570A9D8A6F3CC599B25EE1,IMPHASH=B2CC5EDD42A866F7CB6CAE42DB969187truetrue 23542300x8000000000000000369288Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.310{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\FfuProvider.dllMD5=E27BC7F808E72F08372BA3C40B4B6344,SHA256=927B194432046C0D2ADF7C7B71E4BE85602C4D00A5D6EDA9F9DB9924E1C3447A,IMPHASH=8580AF5C1871319D05329DB2E96A8146truetrue 23542300x8000000000000000369287Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\WimProvider.dll.muiMD5=CC3B15540DDB521A300BAFF0BF4F902E,SHA256=33C06CC037DF1EBB72A15BCC2E09BC89DFEF7DD94441C650FD3D0C833122002A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369286Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\VhdProvider.dll.muiMD5=10536C56F02E68EBD13D0B2CE8665C6A,SHA256=06C3B71D251A8DD47D02EDBFBE84E0B6B1D67956DE4D3996031434CBAD728929,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369285Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\UnattendProvider.dll.muiMD5=B7E3676672BE6851EA13ADD879C2945E,SHA256=2D2D82EE842CD346B58DCAFAE6FEC46D491E0D15CFBE0D8964A4AB7F18C5AAB9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369284Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\TransmogProvider.dll.muiMD5=D5D596B1102DA565C2ED1FAAC170E758,SHA256=B5DBB36E947FD64AAF22C53F0A9634C7D72D4CC270C055B67E020920BF806909,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369283Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\SmiProvider.dll.muiMD5=CAD746ED5AF63E7FC49ED4A5A3984629,SHA256=016C6071B04E6D7E12AD9B8A85C002320331E01ED62922C573A1AC43BA0DD919,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369282Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\ProvProvider.dll.muiMD5=70AFEC86B6CF677BF8D3C713CA3281FB,SHA256=C8579EC95A51EB663FFC6145F0998C2F1930A6B8146C84C0A9094BCA4E5195A7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369281Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\OSProvider.dll.muiMD5=A464DFEDEA8520616AA9B2ACD166A77F,SHA256=54E985CFF256CEBE82E9EF3E814A5FDA9FF730BCB50265E9BA78DE65A4DE3F42,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369280Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\OfflineSetupProvider.dll.muiMD5=CED788DBD9D13D0490B2F642B0B051F6,SHA256=D5DBC0A52B598800EE14569859383525950B865F4816E47E2E73F79AA1C32A09,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369279Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\MsiProvider.dll.muiMD5=5AE9ABD6BB469F3AD7B3A4CCD40974BF,SHA256=C2CE66F2F218890AA76F8BAB68B4C0FDCED0688E694F912F3A5BFABFA6CDB5E7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369278Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\LogProvider.dll.muiMD5=0D4519BC8EB58A006E4A5EB993C0DCCF,SHA256=DAFFE67521F9B4657FBFEF9585234CB39293F9B866C0D97D66F675037515BB51,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369277Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\IntlProvider.dll.muiMD5=16ACB74928BC55FD4AAC316F3B92E1D7,SHA256=17CB486CADB679C75A27BA6C76E2FE714F4B8DA845E6F795759517D6734F0BC9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369276Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\ImagingProvider.dll.muiMD5=26F5BBF8D6EE90B4F47C18E93D1087FB,SHA256=F41738FEF7140176447ECF371B1117A485E48BA6F3E9AFAA8C4F883ABFAE62DA,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369275Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\IBSProvider.dll.muiMD5=0B09FE334215A8E736B2CF08A50D5204,SHA256=DCE9AD3B79F91BEBEDDFCD9E03F1557CB7C6114AC906081E9E046F807093CDF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369274Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\GenericProvider.dll.muiMD5=956B8B45B92321C0D5975EE9A6C5B773,SHA256=578541D71466CF61EF399023B34EDFCBD915142BE856534AD4D17D25E7CC9F3D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369273Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\FolderProvider.dll.muiMD5=DC4E4C2800DC6D98F7893044A21D246B,SHA256=8B4CE62F4E4294E701193C7AE393EB5EB29AA45932D376CB1A03728A140096AE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369272Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\FfuProvider.dll.muiMD5=5ECAD70AC2B3A95CBB42D6FE67D2F726,SHA256=C210389DBB9B7B4A802E4B0C3C708B6F55B086564A01E19CFB183B6AF916C30A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369271Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\DmiProvider.dll.muiMD5=38C2A1560C340537C3AE0CE04BDF7EAA,SHA256=52B06DFD85FB5AB1DCE2BE665CA144B1AE6658F518D1623D9B44C347C482B064,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369270Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\DismProv.dll.muiMD5=BD7B77B3EE9A12FF3F5446ECDF80B5C6,SHA256=B972A0B2C4682E9074441B481BD886DE19B8DB3DBA401B88E980B154C14D5A7E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369269Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\DismCore.dll.muiMD5=C901FF639EDFBBE710D6E5882F07CD24,SHA256=9BDA61D23DC50F9AFA82DA94B06B7B9C8229D5ED666D2F5270DAE13100815C27,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369268Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\CompatProvider.dll.muiMD5=A2A344CB32B6835744A36D877C952665,SHA256=A74D765B796638A921C4810D1712A08F7A37C9BA9E91F4DFDCB9727611C3D18D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369267Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\CbsProvider.dll.muiMD5=179B34BE97A383AF3E757031E7DA964B,SHA256=ABD3824664D1336EE849D89BA178606CC1B1E23E173752D8093F34A5580FA8F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369266Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\AssocProvider.dll.muiMD5=386FE7AC95738A0CB6D25DEA662991F1,SHA256=22DC7317108A528BA92C853330598F628B93FFF27CAC34C2F501B806A75261D9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369265Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\AppxProvider.dll.muiMD5=9FF5081115C2C21D9F85AF7EE6D2CC63,SHA256=107B10A8C1426F1C0D703F06832D740A4CFDCAA596FA0EA147A32A736A7A2A4D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369264Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.248{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DmiProvider.dllMD5=FC76385FF00D4A93618D842B41716D8D,SHA256=BBD49A49CFFA8411FFA91B02541F5F3B5333FD9055BC129DDD3B36EB005C34D9,IMPHASH=062B279D8ED4374A0CD0C84620F4BE4Etruetrue 23542300x8000000000000000369263Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.248{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismProv.dllMD5=8C7D97E22045AE402EA896F514CEED81,SHA256=76D3202E11BA22D277532A14CAE60E596975C0D8C34C7BE154F453EB1F7C37EF,IMPHASH=0247CB1C8FD55E43A448E359883057DBtruetrue 23542300x8000000000000000369262Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.248{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismHost.exeMD5=A59C22B77871CC18970038B7FA43826F,SHA256=CB84B51713BAD689ABB96560E57A71B276D4B28B1C09C7116EE85F5782A1B144,IMPHASH=734010D3430DBD2CA51B599924FE1424truetrue 23542300x8000000000000000369261Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.248{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismCorePS.dllMD5=FB88731B484D1FF4AFF5DB75A20799FA,SHA256=EA155388211E0C3CEF2C99BD5F341C9F93F1ECDA6F21096DB6F9DB2110686A52,IMPHASH=65E10DCEA11F7117C161DC7557B87689truetrue 23542300x8000000000000000322920Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:29.381{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8A09D1D2FB053AB28E4D9D648CDB5B6E,SHA256=F96E5F05AEEBA529AA1D289296894A2616A4DC3471D2E6472BC8A9EE49312054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322919Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:29.194{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96A7D7708E19A6C7D273AF7BE04028F,SHA256=4CE0932AF2883FE605C4D2F35DE69AE6C00CE2FEAAB5B90F258987823F73BD19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369260Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.232{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismCore.dllMD5=F1AB58CACD95921A04225222D03CDEA0,SHA256=EDE89F377FD46F95639413411CDA072D9FF63E72A399B26AB4870094F145091B,IMPHASH=B7B56C790C8AB7134B0680D8DFE46658truetrue 23542300x8000000000000000369259Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.232{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\CompatProvider.dllMD5=E5C1D020198EBEC1D5ABA640C9A600D0,SHA256=A80FD2846E05AB491BDAAFCE8854A04549A852066B82B90D757D9B6A44ADA8C8,IMPHASH=2CDD615C09EED7B572606B2A0C0EFD2Ftruetrue 23542300x8000000000000000369258Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.232{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\CbsProvider.dllMD5=D4A64C7C50D0C6BE9F8770177E2264BF,SHA256=E6505F9DBE17DF9E7E52B5FE1720E1F6482B25D262A47A320CF438C5FD5A5797,IMPHASH=99D5DC4FF67AB12670853DD4E32E8358truetrue 23542300x8000000000000000369257Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.217{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\AssocProvider.dllMD5=56CB83B3454882509791FBA62832BC87,SHA256=5B01524CC03B6EB58CC9E0FF479014EAF89EE7FDE2791BFF871BC90274D200AC,IMPHASH=83F73507B4613B09C6FA825535D8A81Etruetrue 23542300x8000000000000000369256Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.217{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\AppxProvider.dllMD5=8F6792DF9EC54934B76A68B1D7B66ECA,SHA256=E57CB2D5CEC5E1354F4E31CD08ADA02FCAA0E2DEA4B28C8F61683BFA3E875C05,IMPHASH=F1558CACACA712554EBD5926B4B3FE52truetrue 23542300x8000000000000000369255Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.201{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-winsvc-l1-1-0.dllMD5=09934F0F7227B9489D117C26EC20CD14,SHA256=CBE408A0AFF90986A6A7DDF022F96302B4FADD08A0C3C166CAC7A64D6ABF041D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369254Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-private-l1-1-1.dllMD5=484ED248F1A72C6E4E6F6C3F5A3339ED,SHA256=00E14515FE6FEBBF3C2CFC89A6F1A3D6F48B3E7A5EB08D50DADF69CE3F34CC47,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369253Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-private-l1-1-0.dllMD5=FEBE55EA884F3C1EE45ADE2734AA6BE6,SHA256=CD51DF334A600117133C9C8100DDE766D980456988FD333A40BE5A81C8092340,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369252Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-management-l2-1-0.dllMD5=0D45D811001E0A7683A2B7CA8A883874,SHA256=F44E2A85D7507159AE115C85C3497C57BE4ECB2D6ADDB30A534110266D56F92F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369251Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-management-l1-1-0.dllMD5=C36912B3A28B06F5BB24FE9BE49DA4D3,SHA256=D737A832C0D595E8E52846C2D748B911D7155E372F43FBB10513CFDE0BBF83B7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369250Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-core-l1-1-1.dllMD5=A86D518BCF3970C17A1768792FDF37FF,SHA256=AB5CC1B14D6BB708B5C87C2622DA886E2119A6997E08108CCE36080385DAEE71,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369249Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-core-l1-1-0.dllMD5=A329C75641638E2FFA11087F614FD4C1,SHA256=5071AA303D436407D195EF37889F018BE7E350DA5E690793587458D4C6D308DB,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369248Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-security-sddl-l1-1-0.dllMD5=C6C6C3E4D7CFA93246362901750A94D9,SHA256=6E274ABE823EF8B30629A99D9F942794C9FE6D003021A0C5085B49A7D8611DDE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369247Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.170{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-security-provider-L1-1-0.dllMD5=207B5716605CA4850629F3E2FFFA07BB,SHA256=BE6E6284F69C76BE6366EA8D44D85BDBAB6A71DD42E8B5575CFDF671AD58DCA2,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369246Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.170{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-security-lsapolicy-l1-1-0.dllMD5=FE7AD7265E296947172B8C491E8109D2,SHA256=4D231AC65F0F54BFF45CACFFE7DF3109CF87F78D14960EC8F03654E605AC8ABF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369245Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.170{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Security-Lsalookup-L2-1-1.dllMD5=EBD6475839F5C99FB8855A80E0FC2AF1,SHA256=F519C7AA6930DAC83A3045CEEE42F64F26FFC54254D5ABD1B0F7D99C47569A30,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369244Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.170{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Security-Lsalookup-L2-1-0.dllMD5=AC284A6251F5D26633AF48D918D09628,SHA256=F7A34B793AACF75DA4EAE843B6088C0BAAA8B835EA5F6A65E72EBD9A1479C8A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369243Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-security-cryptoapi-l1-1-0.dllMD5=DE0A49D4B2E9A5FA6762BD191C622B32,SHA256=AB12FEAF15CB313812B01AFE1198B62E72F7702D140830ABAD2CFB6251E82A7C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369242Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-security-base-l1-1-0.dllMD5=DC4B661366FEAA4ED54FB1004D9E7A3D,SHA256=B4018F8F249CE087DB46F61A0C2E947248A5B71576F511F0B3650433607BC663,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369241Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-EventLog-Legacy-L1-1-0.dllMD5=B8B7B02C3C66638EC0BDF49BCF04A680,SHA256=5D1103E89199731DFFF7BF89D7F6484C038D47CC04F730CD5233EDE488272E6A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369240Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Eventing-Provider-L1-1-0.dllMD5=FEAA05CE6CCB92AA7B2A2C58C049891A,SHA256=31A4AE262E179DF4CA406E1AF90F651935657BB5FD990C675C67E37D5B834CFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369239Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Eventing-Legacy-L1-1-0.dllMD5=88450242D5350529CC8E46FD9C3F3B7B,SHA256=312B6BFC89B551F2C4E8FEDAB316DBE01F190CD5E67091AAFB0E6F67616DC745,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369238Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Eventing-Controller-L1-1-0.dllMD5=00A27A81EAAE90C9CED7063013877357,SHA256=DC4EE086FC046E1D7A291EA3B8B13E77B7A252B5C283B8F6C9CEC729070B7822,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369237Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-eventing-consumer-l1-1-0.dllMD5=61958A4BE8F944BAFB29DF8009541FCD,SHA256=3B7CB5622BEAC7D633A84EE2F7336C8DE1D3D1AA10577D98020081AB67761FAD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369236Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dllMD5=8500E093D6B36DF1AF271F6EB34227CA,SHA256=99E2CD36104D3EFD4DEC88AD0F4BED1FD1BBFA97CC4FB29DB7F7136290DD6B70,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369235Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-devices-config-L1-1-1.dllMD5=5A03B636125C21AB918D2CB04843DBA8,SHA256=C914CD6FE6C7B16533763BC789EDAF67D7A19C26514C927572051C4379C79FC0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369234Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-devices-config-L1-1-0.dllMD5=0C61A8D9CF9BBF6D771BEF0FF4A43E23,SHA256=66807B95E13944D52E9A7AA1F1A41E632FAA46F6B48F98451618DB3845622577,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369233Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-xstate-l2-1-0.dllMD5=56A386E38B637FCD96CED04CEFBCF8DE,SHA256=A5BE1E3C71A3A5C8EEF4BFAD9D0BADC97BA47B2B9911CED4BD1B8F65BB8DCB77,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369232Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-xstate-l1-1-0.dllMD5=6A982D13DDB295E59F90FF23EDD2E60F,SHA256=3617DBCADFE370463B4DBB91C1C6222923F16EC362DE29C2CA3AE4E72C9ABB64,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369231Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-wow64-l1-1-0.dllMD5=AE7573E1DC370B9A8FEBCC17A6C82FF8,SHA256=59A473D1AD7C181C89AF00B966CD107F1846CDC526009C4807A1EAE3DCB3731D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369230Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-version-l1-1-0.dllMD5=5CB34501C2D784D31281FD526B0BB963,SHA256=E45B73AF0C35F05B01CADF6BD4F67C1497586F4C4F9A16F0448BA751E16C4596,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369229Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-util-l1-1-0.dllMD5=212DA9E9AD6BB61A3554A4174BA558CF,SHA256=01291D3895EC5BB0E658F91FE1512AADCBB6D8F1154BC6023076554AFA05AC1D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369228Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-url-l1-1-0.dllMD5=198A08F8150D7575CC207CFFCF67D66C,SHA256=86F6DA0F1D075B7E1678DF71689948FEC334CFB10316FEB40E5107135548F9B4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369227Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-timezone-l1-1-0.dllMD5=4D7C132D9742FFA44248B1BBF32020FB,SHA256=58A65C1938DCDF64D2930B037E9D133A5ACDF46365835782869D3216D3CF2CED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369226Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-threadpool-private-l1-1-0.dllMD5=A9BC53B62CD4B269B8385ADBE0AE808D,SHA256=A30003AB0C020E433CC5296E7E150BB11820395D439062FF7FD6D7F449C4C5B3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369225Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-threadpool-legacy-l1-1-0.dllMD5=CAC86F4298EB2D239410B3338780DC34,SHA256=1D99842180A612D63F1A8B137A9BF0375B7113AAB325916BA4781AB8A7B68E7D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369224Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-threadpool-l1-2-0.dllMD5=D32DDF80AB3F1F96F431E5672DC1F387,SHA256=E2F0F0D46082ED40D042BCCD47F4E917707CF884672C5919116126914FAD4572,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369223Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-sysinfo-l1-2-1.dllMD5=E83097DFE144367FA2231828F9FD89A6,SHA256=69FA978126192DBAB6AF11C9878D9C2BD1FD7E3FC899300244DFA4A1AC7ACA31,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369222Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-sysinfo-l1-2-0.dllMD5=8D842EBFFA7803451A3AC7D6907A6AD9,SHA256=808C22A733B5F6A4E601605DCF4043C9952CEBE825FF2622097FC5B4FACF682A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369221Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-sysinfo-l1-1-0.dllMD5=376E34D4A8F94C94FFF063810717612D,SHA256=5285A11016967E2017A8187882579CBD722371D0B7497B356149FC447160A521,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369220Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-synch-l1-2-0.dllMD5=E19F4FA6A6313F00ADE8AF26649A0BA1,SHA256=386F6CC0C3CE0C904A44A2FDDD11B2E5EA7782B08E69FD961DA5BE3C32BA5C26,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369219Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-synch-l1-1-0.dllMD5=95088E453B41A8B50E7340E6DE9CD09C,SHA256=E4938C16CA5FC7A8C9D87E4201FA2F28992026F5858F36A2A44EA22B5BD0889F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369218Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-stringloader-l1-1-1.dllMD5=FE1D00B19175DE6E9729F709C508DD6B,SHA256=D726F32AEB323F4DEA55D35441D1FF06BF3E212846A6B86D9ADC8F9DD1307B57,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369217Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-stringansi-l1-1-0.dllMD5=43F8D61E2EE0E253B973EFED0B3EBC8D,SHA256=1B9FA225A474D42FF8360141C8BC1EE1E7310958910931AC8E5A213E957700BD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369216Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-string-obsolete-l1-1-0.dllMD5=92C0A4E592B5D773C562A36CBA4E6E47,SHA256=5191E82E921398310FE9FD333F5CA44E6233358499EDD5B33BF8E9F0C9D3B88E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369215Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-string-l2-1-0.dllMD5=3E1902AF98905F00E62B1EC827EB0FC2,SHA256=503443DBF6E6E481EA1C661109CE17B3D55C4FEA001D77F11CD032BDDF64FD29,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369214Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-string-l1-1-0.dllMD5=D30D4587D051D288D1023DB0D826295A,SHA256=DFE66C8C205C95274565BADB7B3C19043917F6CD07A8DE34CE241EFFF9EA6676,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369213Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-shutdown-l1-1-0.dllMD5=1D8D1283F8279BDDACF8745AEDA3DB2A,SHA256=21BF3432160DD9851CAAC716DF3A41E39428A84BA9B9D3C63CDD300CB6928300,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369212Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-shlwapi-obsolete-l1-1-0.dllMD5=33BEFB60C3DC3E93FCE54A0515100181,SHA256=24B3FA4C5E8AB463BD2CFB704D7BFA7E8429726852EF582F94E44D7691BDD1FB,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369211Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-shlwapi-legacy-l1-1-0.dllMD5=699CDC66AA090D13EFF451F2006944CF,SHA256=6212B2B8CF5533F9DB6E366BBADED7A8D6EAD6667EA6A425B6987102669D8D96,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369210Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-rtlsupport-l1-1-0.dllMD5=F9672F68330CD16B0D1FA3A75B123AE8,SHA256=C5938839A3DFFBFBFEF432D0A95D0773375B4758FC160EDD04383A4B4273A18B,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369209Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-registry-l2-1-0.dllMD5=BBC015F33C0C3C2F9FC58C466BF8A30A,SHA256=1ED3511DC98353CA8E9B22A40C318BBD24484C25C171886B06B22AFD396ACFE8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369208Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-registry-l1-1-0.dllMD5=D132FADCBF190A1C68070E6D488E67D7,SHA256=E6F51C07641EF931C4F97E5D966242BB96A156A603A7769BEAE0EA61E9E25486,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369207Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-realtime-l1-1-0.dllMD5=792C54B79CA333ABBB51BE66815A98CF,SHA256=1E3B3505560AB3E641C386473A83AA194D94CD5BC6CC4FA718D003D1FF899601,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369206Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-profile-l1-1-0.dllMD5=C4E53285E8C51DCBEFF5098215759D69,SHA256=320A6138FE915BE7E83F4CDC2024531948185C3BFC939CB367A53F1AA74BFB2C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369205Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processtopology-obsolete-l1-1-0.dllMD5=99E3ACC47F10000AE67A577F5893FD5A,SHA256=AD01524D3FDDC25C91292808E7B333B587C902E996E557885E79CC10F9A66214,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369204Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processthreads-l1-1-2.dllMD5=DABFBC1EAB7AEE555F3BAEAF981EC7EB,SHA256=3070505B0B060D9EE9C2B699A518481A22DC15ECAF9603089FCF9EBC022179C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369203Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processthreads-l1-1-1.dllMD5=8C5DF20B2E2DE6BA6717A597A951E4F7,SHA256=BE42C78E3F21CD6E74811F27E1B76C4FE8537FB149EF34EA455F22AAA29720ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369202Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processthreads-l1-1-0.dllMD5=3D0CD1FE610E55E8C151162004A1429F,SHA256=D43535460D9CF2F2D348E9F2027DAF9FC0C0C906D5066E15F86332C839C94651,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369201Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processenvironment-l1-2-0.dllMD5=BB20192D0B22AD2EBBF4960B66D2E164,SHA256=23E758C4F7646AACC2DE8B8930BB272115F726F27E5437DF606E1C2328FA48F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369200Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processenvironment-l1-1-0.dllMD5=2CF62C9CF255C15AD1C8B1CCDD9453D6,SHA256=35CDE2048D4EC8D5D02B1CA57B81B8D5F579541EDBAF5DA4485A6323B8C3A805,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369199Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-privateprofile-l1-1-1.dllMD5=FA8EFF9B35BE58F70CD0014DAF108819,SHA256=835F086B0884E8E1689D661657F258FA1E71439672E9F0CC0140D614DAB6FA6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369198Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-privateprofile-l1-1-0.dllMD5=C8490BC5ACB353CAF140CB12670883A2,SHA256=85F3FE5E802843596F466D479111658B08271E48CC1821EB17E6D299D523C95E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369197Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-namedpipe-l1-1-0.dllMD5=D8F1E545D80C2045881C7F0525558D80,SHA256=0D9C3D6A6DF364F812D370258C1B3D3F97584E9F7D36569D06746EBA1695D368,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369196Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-memory-l1-1-2.dllMD5=9F77AA276A31F36805DF003F9E66BD99,SHA256=26425008D97A2EA8B95AF52BFE47CF5DE1DE9BB3E25DF77123B85C895192D7D6,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369195Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-memory-l1-1-1.dllMD5=728A5655624D5B091E8E216BE90D9EF9,SHA256=A2B17F63065CC760FA9CF5D2950D0E13613997546C90CFA1C094CF32171D49ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369194Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-memory-l1-1-0.dllMD5=BA6B6729DC95AA60AF31A160E2CB4533,SHA256=AA433713D5D1DB4413E9F5D938C0C452BAE8EB1BF8CD011803464BBD893BBB08,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369193Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-localization-obsolete-l1-2-0.dllMD5=B5727AD79BEBAAB6E6AFA381A28A8E9C,SHA256=C0E101B6BCDDC28A9BA24C7796BBDAAEFC14459E402FD53053F3C23E0D84D040,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369192Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-localization-l1-2-1.dllMD5=FD9B6F1EA88B7167E6EC227A61B90888,SHA256=2FEF21096468EE5C6BFC88971AFDB4CC07F6C4669375561863B85023C15684AF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369191Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-localization-l1-2-0.dllMD5=C8420A86D981BB6AA0D32001D234639E,SHA256=2E93EA8BB070C07C39B7F042B7D9843C4B74B3D4E69C8E33D89B0574B2D1D43D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369190Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-libraryloader-l1-1-1.dllMD5=787DCDC02E39A27A63B857FF6E819593,SHA256=91A7DEC7B636C00032D122CA04D4B8653B13E1211C54A4184F3955D2398C2E2E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369189Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-libraryloader-l1-1-0.dllMD5=AC90FCC4E819CD2EEED5D09A1FA42BAC,SHA256=2DA68FCBCE619BE5A90501F971467B7A894C6A705659346729E1E4E306EEB7D7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369188Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Core-Kernel32-Private-L1-1-1.dllMD5=E269D033D63A117DA8F3F855B90CCBFD,SHA256=41437C84BF757CC5758BF381600D0DECB00E8F8F56F11765203B7880AC4CDDD0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369187Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Core-Kernel32-Private-L1-1-0.dllMD5=58B0B7C61F098BD1E73E9C156CB38C64,SHA256=C366B92E7048081C7B336CEAB970BAA20AFDAEE2456820AA38360D1429C27669,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369186Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-kernel32-legacy-l1-1-1.dllMD5=912D93DCBE67A1373D93BACD0174E3ED,SHA256=0B94CB7472E0777AEFC1B3208ADDE41B893B78B3223F515FB86348D3362624C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369185Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-kernel32-legacy-l1-1-0.dllMD5=8E788763C9CDB6E5D1A313C08F7D621E,SHA256=5604FCC803BE14AD10C7A2372FB19BC80D43AD850109A670676982A4EC961473,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369184Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-io-l1-1-1.dllMD5=DC7E345A08B64DDD90906151E1D566E9,SHA256=ABDC082DAA40FCAF14E4E554DF23CFC48533F5A2157BD540BFEC49EB8E31E403,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369183Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-io-l1-1-0.dllMD5=A4381D04E233B96B657262DE9B31594C,SHA256=17BE2709D85E6B922BDF5D357FB4CD9416234F8E6685226F5EC776E8B3B5A678,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369182Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-interlocked-l1-1-0.dllMD5=39646EB20F4366691E3EFF958C99D1D4,SHA256=262D2C2EBAFFA4276F54B05A5A1DA125CC9DCCAF76EAAD3AAF7B23D54EC33C8E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369181Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dllMD5=0C5DE8F3B6CC9B44ED0A0556A02F4867,SHA256=D08261783A1749B08F7423923B00FD77E3B44265889B1F550A64239586BC8FC7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369180Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-heap-l1-1-0.dllMD5=51EBE577149EABD170684C2668F967ED,SHA256=0091D6C33047D8EF6E0F09E049DF2CABA5EE6B4F5B1870E0A369D3BF6DB72330,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369179Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-handle-l1-1-0.dllMD5=F83CB23123F3E4885547ED29F2BD2360,SHA256=495A9EC7C50D6D72F209E1F69C9B0C292D8D32FBE79FE675128786F8E351B988,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369178Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-file-l2-1-1.dllMD5=8B79E85DB9AA6D00794E5151455951BB,SHA256=EE600140599138132439FA9FB9FA6B028A9BF2A206A856CCB1106EFF45459C13,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369177Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-file-l2-1-0.dllMD5=455C1AB890C154076E0E23A42F10B6F5,SHA256=DB95D8AA71A8E0A54852C1A83E42267C72E26F2A111AD41146096BF26825FF62,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369176Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-file-l1-2-1.dllMD5=A9808572063E5A5649EA59F8B40FC7A8,SHA256=D4FD5081924D4B544188A687BD37127E0A38AF310E77C55F6EC22896B95B3C9C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369175Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-file-l1-2-0.dllMD5=4438E1D7952A77B7F71FF45EF821814F,SHA256=1C4FA5120E310E49C8112ACB6E594DB2F581AE4B6BA6241EEA4301E0E373959F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369174Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-file-l1-1-0.dllMD5=FF5C179E19923B65E650B11283250D50,SHA256=CF84455BC2AADF2960F0AE4D3691BF3032F412578CB2730A27848C6B26D00225,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369173Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-fibers-l1-1-1.dllMD5=A263189D905386A2A91CD2EB39D3365D,SHA256=7392027920D102DBE4C2C15590CC471063D6B1456CAA797BB71F8973C60B47FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369172Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-fibers-l1-1-0.dllMD5=A1827E232474C845B7A495D1A4CA6169,SHA256=A95088251923F1233CA4F5675457D6D6B2A1601734D4B5451420298491864746,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369171Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-errorhandling-l1-1-1.dllMD5=E98BCC3FA25D6DB36D50786EF08DBADD,SHA256=7BDA00F42BE64BCC1022EC3000FE2582CDF4CC89083D868ACA9DCE982C98C52C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369170Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-errorhandling-l1-1-0.dllMD5=14E8A42D84E459F617344438903680EE,SHA256=1FCB6E1908C13B5184373E83B3C13FCF96B55E4FBBC8AAF4D6E9DA604DB75848,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369169Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-delayload-l1-1-0.dllMD5=762D2E52FAFE433C50648FC23D7C3E76,SHA256=53238588E10FFAABA96C751D34181BA04A869A0474757E79D9FE82ABC3DC7CFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369168Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-debug-l1-1-1.dllMD5=1652E7B742F30832826B48E62485BFC7,SHA256=0362AFCDFB6CA89CDEE0DACEC94A5E45D6910B5337343149007DE2443050D154,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369167Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-debug-l1-1-0.dllMD5=E02F6786930435C736D71E9B6B898773,SHA256=4C0F43EAC3834878F16175B17427C0195A3213B7CDF9702447667D703AA29B54,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369166Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-datetime-l1-1-1.dllMD5=78876D83AA27E510EC3DC3355D034B92,SHA256=44A696C4626AF85EA565D651D7FAF5E21B6EB0C6EE47EE93419D8A7BAD565278,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369165Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-datetime-l1-1-0.dllMD5=CF9560A4450AC70C51866581802AE8CC,SHA256=A7A23DC37F028D38D2836CE881FCFF1FD066538588B207BBBCC3B1AB96E3AB62,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369164Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-console-l1-1-0.dllMD5=893E267BD0B91FADAC2A2BAE70FD0400,SHA256=17D17AC0383117E9A14D7687ECAA3B27AF1C71B89687A5C3E5B8761B2E64EDFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369163Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-comm-l1-1-0.dllMD5=C7EC73197892D7F63059C10D19BD5D90,SHA256=768E17ED08111FD22BAAC8FAC00C7DD87F0E57FEFCDAC58CE04B868528B2FDFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369162Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.013{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-com-l1-1-0.dllMD5=08A5A3129DCB52F3C4E51EE3C4A827E7,SHA256=3C6549832275052BCC2234CC4433D95407800ED65359F5147C4762EE0C71F712,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369161Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.013{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-base-util-l1-1-0.dllMD5=29CD6DDC6BADE9098B9A4402C6336D62,SHA256=B97C475AA8241C9B674E8C51C387AFAAA7977B036D9E2F7FAFB6CACC11D985BE,IMPHASH=00000000000000000000000000000000truetrue 534500x8000000000000000369160Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.013{27B459FE-5E7A-619F-3901-000000000F02}5360C:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismHost.exe 354300x8000000000000000369314Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:28.303{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58833-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000369313Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369312Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369311Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369310Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369309Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369308Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369307Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.529{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E11CC20887DCC70F2743880A6CF8E2E,SHA256=79D582B7BB7AB362D2EC9BCA31A3D9C4A7FF854EE4138F8ED449710C41CE38B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322923Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:28.556{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49941-false10.0.1.12-8000- 23542300x8000000000000000322922Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:30.209{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8A7709A85AADDD33C952E5013EBB98,SHA256=C627F65A05EA361B1C35F7E98471CBE14666156BC0E4F192FF3DE5EAAF1B5092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322921Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:30.178{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369317Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:28.902{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-46263-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369316Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:31.576{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFC5F44C97DCDF36FA16625410132F2F,SHA256=9E6E11EB2CEAE215B2E16BE15A8FB8AED583D232E97BE0C855886F4BA1FEA6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369315Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:31.545{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD28327F1BB9BC4E9FD82D0D16A921C0,SHA256=18EDB61CE3DF042FA57AEA43278C8D3F33BA74DFD2B1FA09ECD398F1B7AE601F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322925Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:29.727{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49942-false10.0.1.12-8089- 23542300x8000000000000000322924Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:31.209{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F078C3F48049E3DFBA76CB8F1B348885,SHA256=F5D20406810B728375AD4FE9AEB3DF1F84DC488A1C899F958E8E0F67F07EC42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369318Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:32.545{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3C47414A1F9947DAAC9797B6003244,SHA256=916EA0F93B368E31EEADAD3C8718BBDDF232CA8D0DD0A70789F5ECBEE50D261A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322929Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:32.225{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D01055B96BC1C7D5916D57CA7CE1A0,SHA256=D2C592274B63411B17DC760351C96CABD3F316DAC490C168F351AAD1F44EE00E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322928Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:32.100{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322927Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:32.100{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322926Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:32.100{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000369320Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:31.089{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-54146-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369319Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:33.607{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2362395FD74852A495FC15BF5D640E73,SHA256=4E705E8A995AECA4F8C098F4A8B8C32D4B1A457146DBC458BB287D53E204F5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322930Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:33.272{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6E6B2F8CF79699CE5F0968A73EB8CB,SHA256=2E195B33A99F12745AC6D3373A2F4A149B0CF2E3A2A1CB739B1E8DD99C720166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369323Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.623{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D912595B69D9E2EDE6858E242E34E4,SHA256=1CCC0CBCA48EA7D9DD60AAF4B8A7CF8D6E01B1F7CDEE4F652FFBAEA9D193AB64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322931Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:34.272{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CD2B3336BEFC3E1ACA6397CB484E47,SHA256=6643A5F997467C9F7BD31885030DD5A9F921C360EFC21E74A9159A073DC5D39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369322Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.388{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D357F49890E429A06D1B6B849FB03BE6,SHA256=81B08DE7AC98C1F52DD1A0ECED024CC970D8EC798B56B3057058B7463358E4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369321Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.123{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6C8B1EC701A5F07733E2089C7B32ABA,SHA256=991DA6633972D91A06563E185BCDDDFACEF5C96038439FEE3E8D0DE03BF7B8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369324Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:35.639{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466A9EDC19CDAA4E1C5E8F84E6AC46BF,SHA256=F7B827C18DD5E77832D6F5AEF7C16BEB55BEB5329D2B6D917092AD7702E1CA16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322936Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:33.555{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49943-false10.0.1.12-8000- 10341000x8000000000000000322935Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.366{99D2EDAA-5ABF-619F-0B00-000000001002}6162332C:\Windows\system32\lsass.exe{99D2EDAA-5AA3-619F-0100-000000001002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000322934Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.366{99D2EDAA-5ABF-619F-0B00-000000001002}6162332C:\Windows\system32\lsass.exe{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322933Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.366{99D2EDAA-5ABF-619F-0B00-000000001002}6162332C:\Windows\system32\lsass.exe{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322932Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.334{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC2FAC266B1454EB9D3F5E8115F07BB,SHA256=41AFAC3371733CE51E4CB4D0CB394F9EAE72CCC59F67DCC9B084A96E1751847C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369329Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.371{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-49944-false10.0.1.14win-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000369328Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.161{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369327Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:33.439{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-4298-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369326Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:36.654{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6027E2F91167139E52011BD1034B6BA4,SHA256=43AD148824457BD5660C76D157F9B0D171F407E4641099174AFAD2C1D7D34F43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322939Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:34.921{99D2EDAA-5AA3-619F-0100-000000001002}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49944-false10.0.1.14-445microsoft-ds 23542300x8000000000000000322938Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:36.334{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BD07E366966BCF8F49D33F9E6D4608,SHA256=0355E8713DBE95F823804F06FD7A2CB6E07ACCEF3FF2FD69C6FA4F34A4547575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369325Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:36.295{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE75876EAD14530E6AAFF705AF6390DF,SHA256=DDE67A355BAB2AFFC9B35541C5D9F3A4EBE697E0A108B679C27AB575BBA4BF2D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000322937Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:00:36.256{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x4afbe7ec) 354300x8000000000000000369331Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:35.239{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-266.attackrange.local123ntpfalse10.0.1.15-123ntp 23542300x8000000000000000369330Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:37.670{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422F9008BD0E1E6F867C9280AD9CF1A8,SHA256=C2324FAB089AF59BEDC0E38964DE8866C314719E3198C501026B46A7AB5B1C9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322941Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.789{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-61.attackrange.local123ntpfalse10.0.1.14-123ntp 23542300x8000000000000000322940Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:37.350{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855E0BB2C0D97E80EDEDF3DD1D6699E8,SHA256=1B4F70ED2CC6A0E17518ED9159F89A1132F8B373EBA68AF3E8EBDD43FEA3C230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369334Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:38.826{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=830C2625F8679A2CAC9A69AEED128751,SHA256=69E592817482ACCED0319DEC8D25CE3F73BEE448B36709A427B29F58008294D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369333Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:35.966{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-12617-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369332Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:38.670{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76838CB6508E89842AB8F8B0640D2A31,SHA256=EFDD2A666FBE3944902A4916CDE6209BBC1D8B83FEB09D5FA462B0F8A2FA89CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322942Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:38.381{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D078260832A946ADDBD9860026AA9F,SHA256=9ECBCED01C763916CA1D65454AAB490D830CD0FC2E7460D485C7A48EFA46EB42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369394Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.796{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369393Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.796{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369392Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.796{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369391Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.765{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369390Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.733{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322944Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:39.398{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96EB2000443E0CEFD46BE2603896CFB,SHA256=98B0F964391C70DDB2B25B40063DFA43A4920EFA72623ED904883960DD4915BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369389Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.656{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369388Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.656{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369387Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.656{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369386Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.656{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369385Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.624{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369384Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.624{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369383Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.624{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369382Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.624{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369381Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.608{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369380Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.546{27B459FE-5AC5-619F-1600-000000000F02}12882092C:\Windows\System32\svchost.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369379Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.546{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000369378Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.499{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-11-25 09:53:42.788 23542300x8000000000000000369377Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.483{27B459FE-5C05-619F-B200-000000000F02}4748ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=E3C42322EB9D0A3E07C0E31B62E4FC00,SHA256=6A9B273357366326DD81162D7E727C71D9EAAE8CFF22202AAF79B0F3461E92C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369376Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.468{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\1.ps1.lnk2021-11-25 09:53:42.319 23542300x8000000000000000369375Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.468{27B459FE-5C05-619F-B200-000000000F02}4748ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\1.ps1.lnkMD5=26B0DCE4C2D45728BED2C3598508B9F6,SHA256=12FFC3C59F47CDE04FD1D9D15ED62108C57078158CF1818A327798A20623E725,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369374Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369373Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5C01-619F-A300-000000000F02}13444544C:\Windows\system32\csrss.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369372Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369371Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369370Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369369Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5C05-619F-B200-000000000F02}47485912C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369368Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.409{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\System32\notepad.exe" "C:\Temp\1.ps1"C:\Temp\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000369367Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369366Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369365Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369364Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369363Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369362Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369361Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369360Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369359Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369358Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369357Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369356Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369355Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369354Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369353Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369352Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369351Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369350Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369349Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369348Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369347Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369346Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369345Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369344Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369343Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369342Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369341Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369340Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369339Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369338Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369337Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369336Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369335Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322943Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:39.303{99D2EDAA-5AC0-619F-0D00-000000001002}7763272C:\Windows\system32\svchost.exe{99D2EDAA-5AC4-619F-4200-000000001002}2984C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369397Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:40.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294F929C63B040D22DDE4C55F77E5D7E,SHA256=9B9A87A3A6B4E05F24ED7E3EA78357F840791E795B2DC3A4B26BC8B3AC442576,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322946Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:40.976{99D2EDAA-5AC0-619F-0D00-000000001002}7763272C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1000-000000001002}928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322945Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:40.429{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7A342848FA87CFE6B8A532645049C6,SHA256=098A8243F2DA49A2C471B2D94012DC82AD3DB6AC79DA6BC8FACFDF1B14750AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369396Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:40.421{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=649653AC9235FE5CF527DA66D930D3B5,SHA256=D23860ED147091619E899E7666CCAE3EB0D921D765202B7771298F806B46CB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369395Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:40.108{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92960CD349101DF56EAC2FA2BE7DD7E,SHA256=E83DA42085EE81F206B2541C873F9CDF29FF17D28C54641A07CD912384C7ABB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369399Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:38.674{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-21021-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369398Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:41.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777F618460B1D82934A795D7D4890AC9,SHA256=F8C43129F41A5C1CAA0F29324CC07C3491648EED992A7BBD927FF33FBF4632AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322948Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:41.461{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37416586889F0A72423BCB6C7E981DC,SHA256=AA1A8F2F644882F9CEB898A71C2BCF2295E3333C55C83AAFDC324E48DC3EE1AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322947Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:38.696{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49945-false10.0.1.12-8000- 354300x8000000000000000369402Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:40.180{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58835-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369401Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:42.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0D9D1B5A89E5BB60E1DD278A3DB90D,SHA256=773BE3EEE4F7768ACBC82B5BFB1E25D1E147CD42BC9CEE7605E78E832DC01CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322949Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:42.461{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03BD75A6798EED7016C1258E140C2F1,SHA256=26E6927C87F67A699F1CBCF6F6AECE405C0BC80CBCC315E294810C8D6AED12A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369400Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:42.015{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA08C69F7DEA790450A4429F4F1E16D4,SHA256=5EFE2E563D22DA0AAA61630A8BEBBDB1A947E7EA06AA2B71487A67EB00E49D4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369403Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:43.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020D7797F1D8F8DD04452A83FF3405B0,SHA256=6E78CAD6172C1D8DEADB53A74305CA48C31D4C60211DAAAD0B97787D90160E84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322963Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ECB-619F-0C01-000000001002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322962Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322961Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322960Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322959Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322958Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322957Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322956Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322955Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322954Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322953Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5ECB-619F-0C01-000000001002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322952Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ECB-619F-0C01-000000001002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322951Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.868{99D2EDAA-5ECB-619F-0C01-000000001002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322950Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.461{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D9D4C09E7C9CA49E7D91E698D35B44,SHA256=3AFA44A728AF73BC031BB8D013D2BB8B239FB0AC3A14D59EB0B8126FD60A4350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322966Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:44.883{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE76B5D38BB11AD2129C70453A21F21,SHA256=998B861A92AD3A06D5DB767E801A909DD87B2675A73A7E2AAD4F17D3921024FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322965Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:44.883{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65ED22759212714CA762C15E6104D6B1,SHA256=5DE2B7BBB27A956AA3DC365134DE919C1F45EE31F7E4E73FAAAC0B28BE7771FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322964Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:44.461{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9694D66D79AF9628E0A5AA5EC390592,SHA256=562AF9707072C1285FC9723D190B1C5FCBB95FAFECEB1B386F49D0850466D611,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369434Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.874{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369433Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.874{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369432Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.874{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369431Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.874{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369430Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.874{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000369429Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369428Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369427Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369426Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369425Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369424Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369423Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369422Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.827{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369421Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.812{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369420Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.812{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369419Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.812{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369418Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.812{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369417Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.390{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B867363B3FD1EC8F320236E8C93B6B5,SHA256=159D9A8EA00D1AD70357A09842C58A0C57AE387331F9847B154BB3F4E22902A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369416Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.249{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369415Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.249{27B459FE-5AC5-619F-1600-000000000F02}12882092C:\Windows\System32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369414Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.249{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369413Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.233{27B459FE-5C01-619F-A300-000000000F02}13444544C:\Windows\system32\csrss.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369412Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.233{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369411Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.233{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369410Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.233{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369409Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.218{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369408Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.218{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369407Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.218{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369406Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.231{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x8000000000000000369405Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:00:44.218{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXEHKU\S-1-5-21-3499523948-2023901041-105020508-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFFBinary Data 354300x8000000000000000369404Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:41.570{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-31324-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000322981Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.461{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C676CA4ECD02B85F842006F09AF453,SHA256=432A88010858C016E4CE303BEA71B255C7628893357B3D1A26E44C6468CC8614,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369436Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:43.633{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-38592-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369435Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:45.015{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF97F6B660DB0FB5788629288C8FABB8,SHA256=BFE130B417F1BFA52AEAA36A5E83770E296DAC6534E1D08633BF03A30B7D185C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322980Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.195{99D2EDAA-5ECD-619F-0D01-000000001002}11403320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322979Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ECD-619F-0D01-000000001002}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322978Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322977Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322976Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322975Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322974Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322973Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322972Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322971Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322970Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322969Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5ECD-619F-0D01-000000001002}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322968Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ECD-619F-0D01-000000001002}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322967Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.024{99D2EDAA-5ECD-619F-0D01-000000001002}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322997Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.476{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D826BCF0AAF8EE76B8B3AAD737B2C4,SHA256=BAD9191752C4D48C0FBC5A0F6483AB05965842117125F51D94B9B993FD4940C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369438Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:46.359{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A9161EFB3511928DDBFA6E9C8A07968,SHA256=8AA04C505B196852D1C62E990DE5109FB085372F5BBDE3170786D36DDE7ACD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369437Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:46.015{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E376131CE6FF3F9E17DC0991182BD3,SHA256=37FB72A4024B0451B39B4A91BB4AF062B9B0D3AA49E1D75BD7B52EA12BA620AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322996Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.760{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49946-false10.0.1.12-8000- 10341000x8000000000000000322995Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ECE-619F-0E01-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322994Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322993Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322992Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322991Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322990Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322989Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322988Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322987Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322986Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322985Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5ECE-619F-0E01-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322984Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ECE-619F-0E01-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322983Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.087{99D2EDAA-5ECE-619F-0E01-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322982Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.070{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE76B5D38BB11AD2129C70453A21F21,SHA256=998B861A92AD3A06D5DB767E801A909DD87B2675A73A7E2AAD4F17D3921024FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323013Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.742{99D2EDAA-5ECF-619F-0F01-000000001002}9602580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323012Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ECF-619F-0F01-000000001002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323011Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323010Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323009Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323008Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323007Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323006Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323005Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323004Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323003Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323002Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5ECF-619F-0F01-000000001002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323001Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ECF-619F-0F01-000000001002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323000Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.571{99D2EDAA-5ECF-619F-0F01-000000001002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322999Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.476{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC95DC89762C722505E48B3A8BBACBF,SHA256=DA4740A808FD7E3B2E80CC1A8ED788F0403C53DDF46FC9D7B0765F272ADDFE0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369440Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:45.257{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58836-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369439Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:47.015{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD66EDB74563E8CE395DF3562E0C565B,SHA256=A91169C850657B37155E31C5AFE7081AAD6A5A7139C7BFAECBC2EA898C2A76FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322998Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.101{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0823D59CA2B45516A584659216982F7B,SHA256=D4AD73C1C3BEEF65318DD705D29A3E698BB3F77E43A9871660C2A5AFF0775B91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323029Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.820{99D2EDAA-5ED0-619F-1001-000000001002}2243772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323028Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ED0-619F-1001-000000001002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323027Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323026Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323025Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323024Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323023Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323022Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323021Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323020Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323019Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323018Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5ED0-619F-1001-000000001002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323017Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ED0-619F-1001-000000001002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323016Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.649{99D2EDAA-5ED0-619F-1001-000000001002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323015Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.617{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C8BF7E1C3A6FDA9D179380E358A65B8,SHA256=19C84F067476644B739F27E37F236171921EC4EB252DC7C365035C3A848EF45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323014Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.476{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D1E4A81462A1CE8D189F0FD74A7DBC,SHA256=CE838C43BE7728EE9015ACFA8DB3C1112D575DA3451787694847D8E5E55881C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369442Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:45.682{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-45828-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369441Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:48.030{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351DEDAFBEA3421452ABF311DF581180,SHA256=02DD22C410AF47BAC08C1ECFB509F24600425108D7E96FEA2D4FBD486B4114A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323045Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.664{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC482822C8CDEE85B39A9F8A5508FA07,SHA256=602176187176072FB94A140CCE2B31AB67F0B4E70609D092D5A144569F651B62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323044Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.586{99D2EDAA-5ED1-619F-1101-000000001002}3484684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323043Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.570{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC97D31D79E036430F3E029F915A8DD,SHA256=900EC1A93A242890AF386C920B8A5DB966CCC2BD969F88D961150959AFA01A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369444Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:49.609{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=195588FE8797AF0CE690B7681826C867,SHA256=6A94B72B5DB9BE8737D6DF687A854D9A545AC1331379B7C38B09CDC2BCEB39FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369443Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:49.062{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2777C501A806B7C1B474CA29F73F3794,SHA256=87A1CE5F77F49A0AFEF19848865957F23DFFDE8970C7FD8D14C6ADA72DA35F92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323042Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ED1-619F-1101-000000001002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323041Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323040Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323039Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323038Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323037Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323036Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323035Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323034Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323033Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323032Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5ED1-619F-1101-000000001002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323031Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ED1-619F-1101-000000001002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323030Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.399{99D2EDAA-5ED1-619F-1101-000000001002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000323059Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ED2-619F-1201-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323058Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323057Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323056Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323055Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323054Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323053Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323052Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323051Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323050Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323049Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5ED2-619F-1201-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323048Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ED2-619F-1201-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323047Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.852{99D2EDAA-5ED2-619F-1201-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323046Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.648{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38661C3FF3FCE2DA536D4571508FAC21,SHA256=88C11434E56E6007922B91FEF89FF6B506EA22C445ACEDF5CF0D0ED37B372B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369445Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:50.077{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112D5F0CF842838DF3228ED2EAD29083,SHA256=B6BA4B46F707C46C17800016408F5689C342B4C41D63C9B0F4C2D08DFE240126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323062Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:51.867{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BD37949F6EEF7D5C6CCCC75C394B342,SHA256=943A977FB3E276CEC49D0E206C1B1BE9EAB6694B38FC75958A26E9D7C5531684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323061Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:51.695{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD422AE15EB8C5D8A736DBF1F27C193,SHA256=45914DD8FA2643D4B9C34D074D5B63517C659DF493BA8E0B0EC634F35C6FDFAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369446Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:51.093{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9FCD7194F35ADBD5D778031E9FEA5B,SHA256=76AB63D65387B22964DA321B2696D4DA8FA242EB8D7FF6CD9972D5361EFB76DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323060Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.620{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49947-false10.0.1.12-8000- 23542300x8000000000000000323063Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:52.695{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6A22FF33C9A9F1D9ABB2A8E6BC4E91,SHA256=BB3F7C8B9A5450AA2739377BE14615E95C14F5D63F27D91AAEFE7E8B7E767D00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369452Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:52.906{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369451Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:52.906{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369450Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:52.906{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369449Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:52.484{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B60283866A47ADAFF6191C24598DA434,SHA256=75E632CA33E293BFEC01A4B0B5A523C9AE5AAB87AD84E5AB32A1260E815DA8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369448Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:52.093{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A74FAE0A4B3B45BCA08D89E451C801,SHA256=64773391BBBE926EF4A81560910EE688DED4E6400FD5184AA17CF81899AF9375,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369447Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:48.907{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-56521-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323064Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:53.695{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA57CEF4AC6560712D5B23B2E7181A3,SHA256=68B4D0049DF0CC838EEE9F56E7B73ABB3B335BBA4AC48C6DB0B31719EA42F807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369453Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:53.124{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEE812188CC8E7DD27C3E7FA37BD329,SHA256=FBC258DD112298257BA3552BB4EC385D5B2042A17C3821458865B365B4F75524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323065Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:54.695{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A322D44DD844F134E4E85914151CC513,SHA256=AC6D635663B971E7D706E508E84583B82EB57DDB0EA4A063C0A71A4011870F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369456Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:54.390{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D855B9FA95B910E32CFE14501862FF5F,SHA256=1C8E94B5E520034C75D07D9F827C133F2377B3475FB353739FD1FCF49D1B3AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369455Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:54.140{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91231D1260897ED1D403E900CE071157,SHA256=1454C2191318B3A4E6E29AF842ABEB99F4FF5B5944FDF9FBD1E84934FCCE6F91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369454Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:51.131{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58837-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323066Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:55.695{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654075B8D4B29E35F6DB6B99E2C7E2C1,SHA256=F51791C759EBC13537066C0D82158F81D329CD60C19E5F10C9688B5B865B635C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369458Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:55.234{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7F861544BDFE27FDFD25400E29BA40,SHA256=1E6B2CFB95EC23D6A800F740195E5D7472136FEFB4AE9E33576B179B74ADB99C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369457Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:51.963{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-7938-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323068Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:56.980{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-016MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323067Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:56.743{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BAF23FA5348D9A514455E7448ADDA0,SHA256=ADB693364269354A5B481C7C5D4C804A4710F566AD3CBF14CEE5859474B423A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369459Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:56.249{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E99C406A9E9D7332F6A2191FC06279,SHA256=76390FA0485F05AC3B99089CF3A04A8F792AC8133A40AA5A7FE37CD238FCE2D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323071Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:57.994{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-017MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323070Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:57.759{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281D28EEBA29A155A7C474BA955B6BC2,SHA256=11295CEBB065F6FEDB193C338AFEE3FCB61FBED0ACE7E258C3DF4559A8AFA4F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369462Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:57.250{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D5A626545C075521C97FE8430D0651,SHA256=78D86A739742EADC9BAF4C77E12DD5EE581CB758383AB21C9AD8161FB9C41966,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323069Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:55.619{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49948-false10.0.1.12-8000- 23542300x8000000000000000369461Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:57.125{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EDA3F76585C00751E219A4671587278,SHA256=3D7A07913C6DF34306777B9B8D189EF0CA982E3CB9FC4BB7EA77CFE0ED1FAD30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369460Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:54.373{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-16050-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323072Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:58.791{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A2CB1937965AA217767535EFBD3061,SHA256=DAF27F0807CD9B759C0895511BE33685E0A020266C90F932AA050E5D707C9E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369463Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:58.250{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A75379335D90FB15CB0AD591BC4D00,SHA256=AA2494E8634582A0E94349D4F94F272C9947011B43D234BC8A3C80486E59BAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323073Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:59.806{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145A0D55971614B141A6C01C73EB4AF3,SHA256=53571C498E4892D97CA04DAD44B6E59DC0F11FE429A2D38EE44B772FCDA0B7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369467Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:59.938{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=565C5CCF8662C407319E2F9C1FC23F4A,SHA256=E3FBE6FE7CBD439A9BB3FC97168724553B2D85ED579E7888D6CE2C100EFE8EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369466Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:59.250{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732AA7B058F0427A03AA5B53C9F87757,SHA256=FA4F138EFAB25630C9025AB6BA6433BF61EB44B0972E54F7C19F70E5E2A6E39A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369465Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:56.425{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-23934-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000369464Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:56.225{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58838-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323074Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:00.853{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290627B79053166AE5A0410B243EC7E1,SHA256=8D4B0275DE7F327ABD116CC74EC439C15DE871121453178184E2FEB616EDC83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369468Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:00.251{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6131905FA27956348DF4453C86B7F2,SHA256=64434D9C83DFF3379A7F58003BC3E3B40E30D9F02D55E4FF2337BF8C79C4036A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323075Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:01.853{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D6682678C9754AD4659478A00E983F,SHA256=FB576E1A13B583BAC81A1A983CBEE454AC3600C7C83378C68CC3F07946A10ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369469Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:01.266{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3FEFC5E8C4254A12C921C0A6E82FEF,SHA256=89F7F784E82816DC7BFA3BC56FC9C0B59B3AB740FBA39FAB951A4C1CE1E0D68E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323076Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:02.884{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE888D49B2D569F1068DCF91CD851A78,SHA256=333DFFD2DF6ACB3F35CE8831CE4CC928AEB2959C1A605D77F5B1CE37A2D366CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369472Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:02.313{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B96261993B7D5563CAF8921E2163E2,SHA256=50EF05E933C598DB4A76C51E4B3F47CA8959B0F19226109311FE655F12302048,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369471Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:59.546{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-33587-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369470Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:02.188{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96462121218A1B0C59274F7C31505DAF,SHA256=1E99FA69803F73A30270BDBD574761C105CAA4525CE10E4D085101986DEAE295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323078Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:03.931{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A44C96DE0A03C8533C253BD54280F05,SHA256=3922D87A42084E49D160BADF304AA1A75EDA6951EB4369383B39DE02170B6809,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369474Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:01.242{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58839-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369473Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:03.329{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE8570C2BAC4C24CCB1A945FB14C1FE,SHA256=410A486D83C31C9D5FC2CB73B62CB04A823BE1C64F3248DB0BA93C9C0C9F47AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323077Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:01.605{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49949-false10.0.1.12-8000- 23542300x8000000000000000323079Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:04.947{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF18F4D975C0E45A1E75023BEDDEBE6,SHA256=932B70275B5C83FABCC3B391731DE7C0525E00560D5FD75CCBACE156CCC94F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369484Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.564{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B6FB376ACF2651505926963C6B10109,SHA256=0B892B85964A80D50F44CCC6A16DADA91C455C6FE2752F4943D5AD5465CA35B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369483Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE0-619F-4901-000000000F02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369482Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369481Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369480Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369479Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369478Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5EE0-619F-4901-000000000F02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369477Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE0-619F-4901-000000000F02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369476Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.486{27B459FE-5EE0-619F-4901-000000000F02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369475Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.329{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45199B766DAF6B611EDE4AAC8425E907,SHA256=091D8DC5539F46213803DB0EE8E3283E25A7C1CC374A04607D7C39E47FFAECA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323080Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:05.978{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB371EF3ACDE6E00F2EFD94B01B90E1A,SHA256=8EA19B4D7251D10E79CE5589973578E50B2C7CF4154ED766B75E3A680D281CB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369497Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.751{27B459FE-5EE1-619F-4A01-000000000F02}54045480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369496Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE1-619F-4A01-000000000F02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369495Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369494Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369493Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369492Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369491Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5EE1-619F-4A01-000000000F02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369490Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE1-619F-4A01-000000000F02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369489Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.440{27B459FE-5EE1-619F-4A01-000000000F02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369488Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.392{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8311CEBF19FD1C71CAF1315B81AB7CAB,SHA256=D331C97522F0D0125B44ADE2888DA7F76D3C3431570007C0E74D2E1EA09AAD53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369487Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:02.586{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58840-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000369486Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:02.586{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58840-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000369485Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:01.566{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-40717-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323081Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:06.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19B97C0527BBE4D8A914037BF736996,SHA256=8BEF0C10BC246EDF21E37ED1B5F0901D3D21FE221BA83B2B8C29831F522EDD6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369519Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.985{27B459FE-5AC5-619F-1600-000000000F02}12882092C:\Windows\System32\svchost.exe{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369518Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.985{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369517Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.579{27B459FE-5EE2-619F-4D01-000000000F02}51765620C:\Windows\system32\conhost.exe{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369516Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.532{27B459FE-5C01-619F-A300-000000000F02}13444544C:\Windows\system32\csrss.exe{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369515Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.501{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369514Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.501{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369513Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.501{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369512Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.501{27B459FE-5C01-619F-A300-000000000F02}13443148C:\Windows\system32\csrss.exe{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369511Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.501{27B459FE-5C05-619F-B200-000000000F02}47484988C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+1f9bca|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+175660|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+17c4a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 10341000x8000000000000000369510Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.501{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369509Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.499{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000369508Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE2-619F-4B01-000000000F02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369507Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369506Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369505Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369504Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369503Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5EE2-619F-4B01-000000000F02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369502Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE2-619F-4B01-000000000F02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369501Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5EE2-619F-4B01-000000000F02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369500Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.438{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4FAD6B5177B19571D53FE813DFD2834,SHA256=EB836643D231C4895D038000BA788889643E9DFD85C9FDEBAEA6B5BFC2567770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369499Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.392{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5FC35663201817E924576885026541,SHA256=89E9897AC44B9594339161E81560046189015AEF2803489F861470CCB0FD23D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369498Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:03.917{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-49478-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369534Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.735{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F495023C71F8611F05D7B9BF02116C,SHA256=3E2C9436CAB6E8A02620C2E3F1F51CBAD791CC71A84D3129CD6255750602245D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369533Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.735{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B00A61B045ADCED6A004C820A2A913C,SHA256=FD66B452225BC49B65355DD00446E80C11A03BEB8D2695C21698B5F95C49BCB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369532Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.048{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369531Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.048{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369530Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.048{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369529Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.032{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369528Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.032{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369527Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369526Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369525Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369524Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369523Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369522Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369521Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369520Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369545Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.860{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA249EAE099DC7A8322769F3AF9F805F,SHA256=EB5F9C699893B9ADF6A4654F58EEDC2C5404AB4EA2E090F3567A3C6E3F067C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323082Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:08.025{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7AFA66D7FE43D7A00C1C72DAC508C1,SHA256=CE20E4C31BA8BC20223C66AB350D5166919AD37B8EBE4C068945FBA2B6DCF7B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369544Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.845{27B459FE-5EE4-619F-4E01-000000000F02}34765408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369543Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE4-619F-4E01-000000000F02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369542Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369541Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369540Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369539Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369538Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EE4-619F-4E01-000000000F02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369537Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE4-619F-4E01-000000000F02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369536Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.549{27B459FE-5EE4-619F-4E01-000000000F02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000369535Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.871{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-56603-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369556Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.876{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C4BC649804857C208E93A8576A53FC,SHA256=82432332B359354E067E13D473474872C67844DBBFE3692D1186B00C58C74EFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323084Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:06.715{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49950-false10.0.1.12-8000- 23542300x8000000000000000323083Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:09.040{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D6608D29639B2D053FEF1BE15ED921,SHA256=6531EFA95E4A09FC232938B0233FD179272949D82EC0F64F0783DF9C116B4D68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369555Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.392{27B459FE-5EE5-619F-4F01-000000000F02}55725536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369554Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.360{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BE4F6CAC802EEFA66432B26FC4A2494,SHA256=D9B56BA393FE9B8C4FF47E83E2FE41758AADF7CA4A38BF9BDF76023593B1E8ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369553Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE5-619F-4F01-000000000F02}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369552Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369551Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369550Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369549Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369548Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5EE5-619F-4F01-000000000F02}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369547Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE5-619F-4F01-000000000F02}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369546Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.049{27B459FE-5EE5-619F-4F01-000000000F02}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323085Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:10.072{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90458DB34273558718930EB74C3DE2CF,SHA256=E0E8393449C69C289CD49DEB15EB183F18C30AEFF99A332E268557C454A788CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369574Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.298{27B459FE-5EE6-619F-5001-000000000F02}59086004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369573Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5EE2-619F-4D01-000000000F02}51765620C:\Windows\system32\conhost.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369572Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369571Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369570Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369569Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369568Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5C01-619F-A300-000000000F02}13444544C:\Windows\system32\csrss.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369567Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5EE2-619F-4C01-000000000F02}55965504C:\Windows\system32\cmd.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369566Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.252{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershellC:\Temp\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 354300x8000000000000000369565Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.180{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58841-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000369564Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE6-619F-5001-000000000F02}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369563Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369562Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369561Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369560Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369559Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EE6-619F-5001-000000000F02}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369558Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE6-619F-5001-000000000F02}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369557Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.080{27B459FE-5EE6-619F-5001-000000000F02}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000369585Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.861{27B459FE-5AC5-619F-1600-000000000F02}12882092C:\Windows\System32\svchost.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369584Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.861{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369583Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.845{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369582Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.845{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000369581Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:01:11.657{27B459FE-5EE6-619F-5101-000000000F02}5912\PSHost.132823080702529545.5912.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000369580Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.642{27B459FE-5EE6-619F-5101-000000000F02}5912ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_srgrahq5.bui.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369579Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.642{27B459FE-5EE6-619F-5101-000000000F02}5912ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_aogicgwf.hjw.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369578Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.486{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_aogicgwf.hjw.ps12021-11-25 10:01:11.486 10341000x8000000000000000369577Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.423{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369576Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.079{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2AA89A171049955AD7A0E66EDF28EAE,SHA256=6BFC4C2C642C1CC3DD167F544CFFCE0ECEB3DB036CD5238E3217189EF55D7614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369575Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.017{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E74C683493FD04E58980D5F4032409B,SHA256=A8A56BFDFFFCD557601233598540254BC6FD9CD56D8027A8C36254E06B23069C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323086Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:11.087{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B98EBE8F5D446781ED66EECA0D8835B,SHA256=BED04F4B88B6D47FC1549D50B63968AF132ABFB8B9415C0EDCC25EF3364D244C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323087Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:12.119{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C4D3ECE4A855BABE3E27F3901411C9,SHA256=DA3D2B77A954E84FEECC988C15487EA25F3271126571161F5C4CCABCE3F00C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369597Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.829{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C87657FB422F64B55CC701938ECFCAF,SHA256=FED5EA0D71D7616A148F81A33496D6D1F5A2DDC8596B5388868AB468CCA86FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369596Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.424{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=265F5542F89EFEBA992B64CDAB7A3A0C,SHA256=17319B857FA342DC5C4C1789783D91AED119E9C1B8ADC4D822222D6BA535FDC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369595Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.100{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-8254-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 10341000x8000000000000000369594Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE8-619F-5201-000000000F02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369593Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369592Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369591Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369590Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369589Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5EE8-619F-5201-000000000F02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369588Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE8-619F-5201-000000000F02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369587Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.096{27B459FE-5EE8-619F-5201-000000000F02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369586Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.032{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54593E067AB0D7F4C0F7C0B6C0FFA81,SHA256=E38EC978CF21E62C82738FF6C987F6E77F2368E8334484E0DF2DD1375C5D6BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323088Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:13.119{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9224510A719861E531E72A04E549547,SHA256=574EC46098EA1A66F4C2C63970BDAA7FD067A5D82DB68D1225CF22453CC5E6F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369598Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:13.032{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435CC24B5EE801CEDE9588604A7C7F08,SHA256=A9EA57BE032058FE45B120EA6F7776C2310167996E61C2F5DB73E5D6270F7757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369603Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:14.829{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56B74EFFF1DF09A6E2418BB7F7C19890,SHA256=21C0479AA63D3B961BEA368DC4AA304657168B821B9B34068FBBE56BA457187F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369602Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:14.689{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt2021-11-25 10:01:14.689 23542300x8000000000000000369601Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:14.611{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369600Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:14.048{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A8F1781370E9DBE53E5546A16CF4FFF8,SHA256=D55BF56E2B9E1B901A58F05E91ADE944E980BFE79272EC24754D3F94E563D98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369599Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:14.032{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0954DCDC499B08122205EBCDF63F1AD,SHA256=EFD21F0A97564CE5A60DFAAEA365D0D90BD9CD4377BB548589A067700797A36D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323090Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:12.668{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49951-false10.0.1.12-8000- 23542300x8000000000000000323089Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:14.134{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550A3A8AF41677C949604C27757BB252,SHA256=0FF94D5CB58595D0F110CB2A6E6EDFFBB0EA5FB6A1B58E62FA1B4AA6F1FDF128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369609Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:15.767{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C820CAB07DEC62B35BDBB5C9E2352346,SHA256=1066D482F647BF8B1E8933B8D500D4FFCA16C810F0203504BBBF5946D4009FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369608Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:15.751{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=42D718AB4B006A5CC4306656DA6B0493,SHA256=8F52D2A5BE556187445FF4571C2C6E4E63AE857E211F7686BB4D17BC21D9D736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369607Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:15.361{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EBC3C875D2288C2FDEA0BE96B64925D1,SHA256=0069783BFECCD19AA9AE98E219CB65FFA675B1A1B17546FF2B42DCBBE01CB9BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369606Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:15.346{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3009FBC1010DDE6ABD90EA83682B3BD4,SHA256=CF0E44F68D44686334C6B83F23AF9497958A350033CB7DBC338B4CDE2A0F918C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369605Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:15.331{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC505133D657C5D117A774A33B8BD16,SHA256=68C5F40F629C5D7E978371222ECD233E450D09B03766496CF8EE8F3E8A40C763,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369604Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.085{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-18779-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323091Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:15.134{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460B7ACE8DF19003CA75DBBB372C804A,SHA256=7F1D6E2B388D51B3C88391F0C495C74B558FAAFD946C00F55C3F619544906AF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369612Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:13.633{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58843-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000369611Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.289{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58842-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369610Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:16.251{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7DA87E7468EA26AFD6BD3F818B1A31,SHA256=11337CC44E06DD7D75ADBEA2216361142834CB257D0715B72564877B4609E567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323092Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:16.134{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242EE26473AFE68EBCBA6468BAF98AE4,SHA256=73CB10203EF462D3D2834585A1D96446936991E99C0BD41BAE0D81FE16A531F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323093Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:17.166{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D571F0F8C5D3AC765F6E4AFD7A8E5AB8,SHA256=8CFA36DCE9AC786FBE04123445E40A1F70C41C28B926F5D79AEEB12F93CD7557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369616Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:17.875{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=208A3C787A4809DAD1106EB273B3585C,SHA256=1D518A9E18F44D0606216D952D4DB9F7AB6BEA301A7ACDD032875473CCD6FC71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369615Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:14.560{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-25505-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369614Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:17.265{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5976F0B7FE4B8E8D2B6FF1458F806B4C,SHA256=C742EFA68F058BDA350A8D21D944AE4D292069DC891C8FA415540285285558DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369613Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:17.099{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-016MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323094Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:18.197{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A62006BA7F48CD0C781BD539C65CF30,SHA256=69E43402849A79E214C9A1C835F6B9D29A289179BBAD84B37E50AFF7B6875186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369618Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:18.280{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D976B003AD1E1116117C6A8520BDC3E,SHA256=0EA9FB274B8E04EB0BBF8265B4FC699F0234BB40141A0989E5EC2E3A5A2A9A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369617Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:18.110{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-017MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369619Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:19.283{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F5E3E992B27D59E75023F574A692E5,SHA256=F869A430F50D9C9241A1670ACA6EB383F9E41378607DA3BF96F23C18E949FFE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323096Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:17.811{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49952-false10.0.1.12-8000- 23542300x8000000000000000323095Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:19.212{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CF848B41878D209A5AF651FC27CAAA,SHA256=85ECD2B8FD2303C6619A4D0DFAF171E645D6CA643A8EE0A7F6F9F2086467AD1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369622Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:17.198{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-33051-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369621Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:20.312{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF13F57EFB3845BC393C64E7600833C,SHA256=BA2D4CF77B0C6500339E7773BB8E1B46F5855349E8470134B009BBFC6FBFED58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323097Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:20.242{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A69E6B3C0ED25A1F10304D362334C4D,SHA256=8BB8721FAC6F056B609EA36466B15E8CA1959132FEF7C4870AB5E3722906E7FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369620Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:20.015{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82DD92457B5F426F9C886ABD4865A247,SHA256=2570BC155AAB00BF7EAA68CB0E1926C7B5AC09D0818DED7C6F313EA004F3E930,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369625Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:18.133{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58844-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369624Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:21.328{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFCE6E2E3FDE69355A1DEDC31C5605B,SHA256=92EA8873696FB7EA2438589B4CFC710FE8258DD40E56BA4BA8E9C7F6143C8CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323098Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:21.242{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847C0ECB0A9630FDE2347E4E1AE9BB64,SHA256=1FE88E1110BAA22FFBFC0C6B1079FD3D5C4B96DF2FBF33E4FBCE341B8CFEBE68,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000369623Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:01:21.281{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x65d22454) 23542300x8000000000000000369628Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:22.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6110A76ACA910EE837AB712095C3E365,SHA256=09D159090B19F44ACAA5B378D22624DCF11704589B61593CF6E7BB7A4EDC7531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323099Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:22.258{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E595EE4ACF94E75222074ECC71C2D1,SHA256=A72734713F6DB3C562323C2319E9320CAC1C24CB7B552AE72D5DDDC781962040,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369627Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:19.370{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-40254-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369626Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:22.312{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0622D5DD54DF82AE8CAE1DDD2DAFD27,SHA256=66E875B0C7E4529163D2C55858BC39D0399ED2FBA45F486425539268A454070A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369629Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:23.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F13A2242CF2CB9C7BEC1964C050EA1,SHA256=8D424008361024F24CBC82C87576E14FD176C40E01D8DFA9F15702980B55826C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323100Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:23.289{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B87ABCFEA63080CFA2DE96497AB37B,SHA256=290227BE1E31BCE52A1961DC8B16F575A07DBFD1C5957684F902A49EA4A8FCEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369632Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:24.562{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D59147A60871484ECCC2AC4AC2D5E4,SHA256=236751D7ABDAE017794C9399C2CE063AC554AAAFC344CFBBE690DF1D9C20B6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369631Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:24.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489D1F76AC04574D0B02643585F16FB5,SHA256=894973B7940C25534E94DE22576731D2328E92A03F6378CC5A38E78658D4E354,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369630Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:21.620{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-48457-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323101Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:24.289{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A65737931CE38593953D311C7101854,SHA256=511204855CFBDCCC5604D7D8A89A3C1DF6149FFC79E6A6E60195A93B05F8D015,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369634Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:23.209{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58845-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369633Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:25.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C1D99C31045C3FA90A141B3DFC6F3C,SHA256=EA5D6B1F07487A3757EC1D0987B1C898AC40A9B2EE030D494858B6491541B69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323103Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:25.289{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC160B5630AD2133BD04BFF292E1A9E,SHA256=79151AC307C334FB643126C3B97859B473B7242D9A08A0FBF09DA82B766E681D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323102Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:22.868{99D2EDAA-5AC0-619F-0F00-000000001002}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-54129-false10.0.1.15win-host-61.attackrange.local3389ms-wbt-server 23542300x8000000000000000323105Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:26.305{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5780A21B602C2B91F087538F2B856575,SHA256=B3355B35FD72802C7114A950327D2C42F0FECA10458968050195BAB0B9103450,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369636Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:24.110{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-57117-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369635Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:26.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601352696985A1EDD1E4447EDB48DF16,SHA256=C4E6AE75A8260C3B20851632755B7AC40427A91453E20201E0256AF4CF67C096,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323104Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:23.713{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49953-false10.0.1.12-8000- 23542300x8000000000000000369638Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:27.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5275C82D3E17EFD4E987E6DD840CF584,SHA256=5FCFCF6B8B58F86DA3B3830FCED4D4FDDD421FF28DA3F75FB95F06B23F196807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323106Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:27.305{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABA2FB01A6996ACFA48BA8BA53F7AE4,SHA256=6259AFB542C093345FF51678F7C409F940DF25106C29CFFD4AB6D7A17F1CF696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369637Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:27.000{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=314D03E2E53F6FBC0BB2687D2C1D463A,SHA256=1E4A89104E5B034B8A8323D97C95ABB52FAC989C33D4160C99EB00C480CED7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323107Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:28.321{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C419C226B33EABC8B5FC3312C1C4EC3,SHA256=A5B9AA6994B02A4AFFB406C349C33CA548B295F85943A4067CE23E0ABB4084AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369639Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:28.437{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E5D151A93ABF02319AA0EC9F6C0BD4,SHA256=405BD9CBD16AC7F6A46F578DE86952014C20A512FDB1ACFF26D9BBCE778E6B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323109Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:29.383{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=35878E77E1AEE029651D66E36B8E9189,SHA256=72378A4965BD5FED4CC7BAB2C6470F124B534FFFFADDD2E2FEC4500F35AF2FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369642Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:29.437{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CCF19FFB72E3EB89182E66105BA9D2,SHA256=CDDDEBDDC9BDFCC6A73F711E86B02108B20602975EB94BA72472FF806F37AAAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323108Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:29.321{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EEFECAF61B78D0A51828EB4A0E3DE9,SHA256=B434331AD7894A6660A5AE2AB8BA39356898D59C23AEC41D808243A62C7FD955,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369641Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:26.165{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-6147-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369640Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:29.141{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2306C0DFA30D689EB97996384C1C218B,SHA256=D6FF51F063A75FFFA13F8AFE5960F582DEEC6E85C67F7930CB02167E6888FE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323111Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:30.352{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CA423B7ACCB55E3F17327DB8A8F20A,SHA256=8422BAE1B203BFEE07D490C66AF3001144F119FE6CBF86CEB5A1CFAF3F872148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369645Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:30.922{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55015210B21C7DBFCA77C3D3FB9A34E4,SHA256=4C6E99A329249877B3B2ADC01AFAD69CBEE530319BB04BF1D33B7BD8CC2C203E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369644Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:30.437{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772368FF548B1B6864DAA06951009D7E,SHA256=91083C1CA0AF16C9B7D319969BBBDD5A595393010BC7A8534E8120910AED87E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323110Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:30.196{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369643Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:28.225{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58846-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000369652Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:31.766{27B459FE-5EFB-619F-5301-000000000F02}59443476C:\Windows\system32\wbem\wmiprvse.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\combase.dll+251d2|C:\Windows\System32\combase.dll+25afe|C:\Windows\System32\combase.dll+258bf|C:\Windows\System32\combase.dll+593b8|C:\Windows\System32\combase.dll+58fd0|C:\Windows\System32\combase.dll+65dd4|C:\Windows\System32\combase.dll+c2904|C:\Windows\System32\combase.dll+63051|C:\Windows\System32\combase.dll+64850|C:\Windows\System32\combase.dll+217a|C:\Windows\System32\RPCRT4.dll+da374|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000369651Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:31.594{27B459FE-5AC5-619F-1600-000000000F02}12885136C:\Windows\System32\svchost.exe{27B459FE-5EFB-619F-5301-000000000F02}5944C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1016a|C:\Windows\system32\wbem\wbemcore.dll+2d15f|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369650Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:31.563{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EFB-619F-5301-000000000F02}5944C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369649Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:31.547{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5EFB-619F-5301-000000000F02}5944C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369648Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:31.547{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EFB-619F-5301-000000000F02}5944C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369647Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:31.453{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96859032F6D1971C29C4ACD4CAE4D92B,SHA256=ED2F6FE44EF3F2847176F320CE8CA96E3986151961D9D348601AED72C6655615,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323114Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:29.729{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49954-false10.0.1.12-8000- 354300x8000000000000000323113Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:29.729{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49955-false10.0.1.12-8089- 23542300x8000000000000000323112Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:31.352{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C9AEE61F9BEC84C44788B33CD8FDD6,SHA256=E78560238D7FAE3E5D4CEF0C2EAE2F440B12F3245E588E859DB9C365147B10EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369646Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:28.343{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-13791-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369654Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:32.578{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCB198B9FB35E9018BCC6571D797DD5D,SHA256=884C39182DE3A6BE34D6343AEA1B81726BB6BDB7B3D116A1CBA67CCDFBA89FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369653Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:32.484{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33ADFD22B1199B64899C72B31B1F043,SHA256=BD21DEF21F2FA564EBB6AD372E575F6FC5DAA8694BEFBE2EA9A9ABB453EFD6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323115Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:32.367{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD7FC78F3B1D1A03A2D1591BB112861,SHA256=675366F82DDE392E53BC6419292AB928D9BE4E1C9B20DF7BEB65FF9D4F21A19B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323116Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:33.383{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0E45AA642CEE97F5A66F386AFB99EF,SHA256=040E07D2DC72C05DDE191DFE32890AD6F0169658A608A3FE76DB020223782618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369657Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:33.500{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C0BB65A76794E28DA12F8A54F89D52,SHA256=830C7BB3F978A3DD4578EFE0AABCEE604AC5AD888801ECC10FC79E5F3FEDFF97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369656Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:30.718{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-22449-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 10341000x8000000000000000369655Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:33.000{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5C04-619F-A900-000000000F02}4220C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323117Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:34.414{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2DA14CB229B3E4F40F89004630B5BF,SHA256=57F63117F135BFB6304875C6D43095EC0E3A62D3300B1F4F031EB93C1443E04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369663Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.563{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=893B81E8415532560D4F9469A596D1BB,SHA256=016BA9421A782A97227E468B9CBDBBD388CA94EBDADCB971664444EBFB3887BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369662Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.547{27B459FE-5EBE-619F-4601-000000000F02}6136NT AUTHORITY\SYSTEMC:\Windows\System32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-trace.etlMD5=0E932D44F53440D94EC8E068B5F17C4D,SHA256=4A79284976AEE7AE63A2843A3E70C9BCE26FDF387A4328C1150D8BC52025846C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369661Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.500{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F153A21C3247B5CF829118BC7B0FBED,SHA256=0E34A75A409FDCF70549607C1C42E5B3186078C3B22A1D38841D0FA1EB335437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369660Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.391{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6C024A3C0B54C803982445C0E69DCF5C,SHA256=EA4836D9D7FA67CE479AC83F450EA41A8BD97AD9444D0747E26241EF72F19BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369659Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.375{27B459FE-5EBE-619F-4601-000000000F02}6136NT AUTHORITY\SYSTEMC:\Windows\System32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=15F2D97D4CC84928F7B1C451696E46CC,SHA256=681ED90C97CC621F8D31C36C594202838DA4C282F9FB850E53C28AA024ACCF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369658Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.375{27B459FE-5EBE-619F-4601-000000000F02}6136NT AUTHORITY\SYSTEMC:\Windows\System32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369664Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:35.516{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B79DB664998406C07A6DAE8D6EAF02C,SHA256=93F0C1FB9D9F52A576A4F69DEBA10E07A2DCDEF78BD496010FB9DEF8D27216DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323118Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:35.414{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7378DD23B3C6ADB1D374E38A1BE3A9A,SHA256=A28EA370295312C66035BEC923609491A023C8E27A30E74E7E5DC8E3818216AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369668Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:36.531{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E642B7953AA1035205E54408681CAAD1,SHA256=BCF5BCCEC7DB3FBD3E14593206F6691830BFE15A65A5855A0EEA3E77A0FFB1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323119Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:36.430{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137272A34B37C3B672FB068E612683F8,SHA256=8445FD2484648F8E8A00C02ACA28ED4C0E5E98C295344F5F5E380106B6C7C037,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369667Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.209{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58847-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369666Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:33.900{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-34049-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369665Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:36.328{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6E6B3281AFFD35B3985C4B6DE0FD2AE,SHA256=724C9749614C76A17DC62E6B2353E37ABFB19378156902C9B9D0C4B598CB2868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369669Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:37.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F406998E9F72B84262E949D7AD7B6C7,SHA256=1DF4C60E1011236FB94F7991C44B1B3BC18C200440E44AD1B876328669FE41D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323121Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:37.477{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5D8F1BEB94AA6E2DCBD2CD81AEB95C,SHA256=F0FEC2E3ED4F8C3374C6C2E99580FB08BA3662DE00FA0C96788C452BE4E99894,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323120Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:34.760{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49956-false10.0.1.12-8000- 23542300x8000000000000000369670Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:38.563{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518893F94567A43C98018393684666D3,SHA256=4B3038A8E4342506B45B86F6AE17597B8C3BFABA435FC38633CCE2DF58838A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323122Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:38.477{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44ED2FC06415C5744794AE533C8BB685,SHA256=3B982201DDF61D99EA8057FCFC5877CA1E4AAC33895DDEE120E580086D855C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369673Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:39.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E0F988183171982C54B01B508DAD4A0,SHA256=979EEA583707CAF2692AB2D693943CFC77A89C20F2B8F0E01A1F0AC89337B000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369672Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:39.574{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437DF45DCB46F1B502273B804379E99E,SHA256=4570C9C626D1BF5D1417B3FDD258F48966C76B38DEF4361148E4A56C242102A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323123Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:39.520{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFABB36850ED1ABA0D1529B0290685FE,SHA256=47043F7C1236F8E0E9E3AE39F15CF4BB5E13E753120218107F38F1C3A6ECBBE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369671Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:35.777{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-40873-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369674Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:40.574{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5B5EF64FD1804D94C3BE187F3640D3,SHA256=A5F6CBEBEB9F19351CA0B164EFF4297C5FBC1244BC216472B9196B726F48EE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323124Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:40.520{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0F6B2DEEE8076733AC60C6C11306F3,SHA256=6B5E9086BEA694040A4C6BD56FD295725BCB87EBA5377608E75A918BA9104866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323125Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:41.520{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F0A2D542DD3A93822E38AAFD5C2F28,SHA256=1BB2B5DB64D08F2A1A3C129852B564B130C7FD1753790DBEC79239170A566887,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369676Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:39.412{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-51976-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369675Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:41.590{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F3C3DCBC6FC811DF68609A9D8EA2FB,SHA256=A7BCE56E8FD11CE6C545D9EBC4D4350937C4ABCFC14D239DC6672C7D0ED532C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323126Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:42.567{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112B196B1A91B8FC5DA53F620C38659D,SHA256=8F9858144003CBF5B40FD642400D16696E7F0C05A930EAA2B4A9C6E89030ADD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369679Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:40.112{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58848-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369678Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:42.590{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDFB4D42E9E25F490CBE11DCF5DEB48,SHA256=DFD9F61F0A951B56A0BBAA565F6BD5DDDE191EBB534501638842FEC240F1139D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369677Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:42.106{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19FD62FA0251B49CE39B0F77E598B304,SHA256=7000E1B6FC2C01F99933D193A953158F945E715A69EFE7364C64459ACF1719A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323141Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F07-619F-1301-000000001002}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323140Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323139Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323138Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323137Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323136Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323135Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323134Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323133Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323132Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323131Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F07-619F-1301-000000001002}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323130Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F07-619F-1301-000000001002}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323129Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.880{99D2EDAA-5F07-619F-1301-000000001002}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323128Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.582{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36700DA0F35F299015AEE2A64128085F,SHA256=C8D7347EB1540B46D680D57875379BC54940E3C6BE27B36E8B4913E04CC8CF3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369681Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:41.428{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-59320-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369680Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:43.606{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEAA04306E91391397BB675E61FF74B,SHA256=CCAE6CECD4E15060F2FC9587B6645934E43511F61B3B51584B9C82EC9E864001,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323127Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:40.600{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49957-false10.0.1.12-8000- 23542300x8000000000000000369682Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:44.621{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D468305F94350A2472D814B9B3F507E7,SHA256=C1D531F17A86192D50F6A56C78C217F72A5AFF43C45953F7A7BAEFC5D4BE126F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323144Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:44.957{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAB042EB77B1D65760A8ADF246C2C736,SHA256=E59F907CF671695F1E150D29BEACF82DAD5CEA79321BFDD6F585B2C22EE3376D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323143Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:44.957{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7982F50E17DF3A2B520447A73565DB8D,SHA256=2537521CDFC88E195A62E16D16EE4F4A405034EDAC24B73BC70B0BAE4B542B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323142Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:44.598{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A561A3BFEDCAD3774D0896B812D6EB93,SHA256=E26FC49E6F737B35341B5F7F1A7C60D14B3E4C26C149FE51DB6081B9CE2946D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369684Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:45.684{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8923AD4D19E633CAB0C8F147895C72D,SHA256=2EFB9E3E34B61C74A1EDA561B7DEAD4D1D34E1C15BE428EAAFD9766127AD82E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323159Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.613{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD906737C510CBF52F0F18898711744A,SHA256=A2458426567E9FD46B2607A2D6E9A44385C2075112F6DD99CBD34528987C6BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369683Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:45.200{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D93C985D7B5A5A9260019D59BB5C052,SHA256=2A2596A6EE7F11F985FCAB75B56697E826AC33CE8B3AD61D628A4C328ABC0A6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323158Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.192{99D2EDAA-5F09-619F-1401-000000001002}40081116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323157Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F09-619F-1401-000000001002}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323156Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323155Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323154Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323153Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323152Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323151Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323150Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323149Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323148Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323147Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F09-619F-1401-000000001002}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323146Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F09-619F-1401-000000001002}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323145Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5F09-619F-1401-000000001002}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369685Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:46.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97055D7CF5ED97E2A14BC49F74947DB9,SHA256=5DC894675E635589601E87DA69D01AE1CB2F7DE52BC69BD5C4C333FF92D2E9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323174Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.613{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D347AD04F9F4813558E23E68CF75641,SHA256=6F262967BCB32F1ACF180E96CD10E9153CAEA223815311D5578EDC5E7BBE6DC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323173Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F0A-619F-1501-000000001002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323172Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323171Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323170Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323169Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323168Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323167Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323166Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323165Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323164Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323163Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F0A-619F-1501-000000001002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323162Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F0A-619F-1501-000000001002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323161Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.068{99D2EDAA-5F0A-619F-1501-000000001002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323160Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.035{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAB042EB77B1D65760A8ADF246C2C736,SHA256=E59F907CF671695F1E150D29BEACF82DAD5CEA79321BFDD6F585B2C22EE3376D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323191Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.770{99D2EDAA-5F0B-619F-1601-000000001002}30922788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323190Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.613{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AA0EC6A0FB05B731168D7315FC571C,SHA256=060F796DD07CB0A2030D5A9241928D9FD1CF9B4871F467ED882A07C7B7848A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369686Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:47.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AECD8702659D5C14C05F87231E30CB,SHA256=19B08D0C9C1A957FAF781ACF21311C6238F8A6820C03A1185DEDA55F64B5392A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323189Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F0B-619F-1601-000000001002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323188Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323187Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323186Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323185Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323184Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323183Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323182Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323181Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323180Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323179Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F0B-619F-1601-000000001002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323178Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F0B-619F-1601-000000001002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323177Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5F0B-619F-1601-000000001002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000323176Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:01:47.488{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x75711739) 23542300x8000000000000000323175Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.270{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D849707E52FAD3AC51DF417E75BBEF63,SHA256=11601D5C3D70B9F96DC8A120B7E8A520FD468E75BF74A3C1EDA72CD34EE4457B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369695Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:45.159{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58849-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000323208Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.800{99D2EDAA-5F0C-619F-1701-000000001002}33283636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369694Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C6828C35996D56F9CA8FD64A88050D,SHA256=0F08B538F843C88C8EF990EB8A44B41D8F8C04BFCC3391E8A29FE9F6C4A91EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323207Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.660{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA89F0F7C1EF4874C423D375454DF8EC,SHA256=D48278E514840A58580CDCB50C83073E27BCF038344E0AFF66FACCBDBAB44072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323206Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F0C-619F-1701-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323205Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323204Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323203Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323202Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323201Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323200Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323199Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323198Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323197Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323196Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5F0C-619F-1701-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323195Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F0C-619F-1701-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323194Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.645{99D2EDAA-5F0C-619F-1701-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000369693Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47482232C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323193Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.597{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61E1819BD9F3A9A5A80BFA596F1ED148,SHA256=ED9B81FB9266EC725977330B14E689DDA69291116B797873CBFB3158EBFB13E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323192Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.600{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49958-false10.0.1.12-8000- 10341000x8000000000000000369692Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47482232C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369691Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47482232C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369690Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369689Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369688Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369687Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323224Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.690{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF039873CBC19596DC35AC88A445BAEC,SHA256=4D8A2AA19A5953FAFF924D0AD7352B6117A843B769D219F1937EF46AF8806900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323223Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.690{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6CC7147E319AD6C2E4644A430AB41AF,SHA256=6F24881CE537B086957FA815AEA5CEFE38382C0D04B35838FE42C23AB4EDC519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369697Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:49.793{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=332A96E686608C534BE375C5D2092BCC,SHA256=072B6590FA3E0D8A8EE675861284191E192793CD9DB2318CA177434BF64B1EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369696Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:49.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6894A3F64E40CCCC43E5AFA06FAC6614,SHA256=91578CAD3386061D10F33C913DC059CF6961E4B0600C9E080970BAC00A6FF67D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323222Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.581{99D2EDAA-5F0D-619F-1801-000000001002}923528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323221Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F0D-619F-1801-000000001002}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323220Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323219Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323218Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323217Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323216Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323215Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323214Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323213Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323212Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323211Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F0D-619F-1801-000000001002}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323210Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F0D-619F-1801-000000001002}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323209Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.395{99D2EDAA-5F0D-619F-1801-000000001002}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000369699Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:46.706{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-10420-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369698Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:50.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529F457C2D31282FBF4E09ED85D19401,SHA256=662E303CF19280FFA2C2C5A93F55E2FCB3780B69B47460A5709F6AFDE8A30D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323238Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.721{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEC60C169BB6FEC7EB8CA797D0A4389,SHA256=4B5131BA85F1D57FEEDCE58BE9D45E15DC318CAA23AD5AF222BD0C955588CEFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323237Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F0E-619F-1901-000000001002}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323236Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323235Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323234Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323233Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323232Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323231Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323230Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323229Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323228Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323227Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5F0E-619F-1901-000000001002}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323226Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F0E-619F-1901-000000001002}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323225Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.691{99D2EDAA-5F0E-619F-1901-000000001002}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323240Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:51.736{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860F5E70D1E165CBBA522B27874CC141,SHA256=D3B12D97E26ED80E44B36B96351401618F7480ED9C6DA6822BB0F4C64B49020F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369700Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:51.731{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024AF5B461A9E9360B7DB90AF16FE197,SHA256=B0FB0375FDA6FEBF65235D3E8636290164D80E832305FEB364A06377DED13E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323239Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:51.689{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7006B08C7F49031727CE01712C82A58,SHA256=F4945562EFA70260F82C6CB1633E46F120AAAD7FEEB03EF36F98FABAFD32BEEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323241Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:52.751{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FE1EB138335E255A5A65AD00DD88D8,SHA256=0E4362B717C4E3A4B0EBA09D14C8820BE3B08D9325FA85251538372E0721C359,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369702Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:50.452{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-18939-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369701Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:52.731{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE7D022247899BF6E228F3FEBF40344,SHA256=C2F38100516B7F86D12D573A6E6FEC5FEABCF639EF0D0DA0188D57E127842233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323242Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:53.782{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79C2D515CE1D1E446E746AA1D077C04,SHA256=963974073B6F73010E355E9E16A15EC2A5D584AD729F448CDCEA747E7D9AF0FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369707Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:51.080{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58850-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369706Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:53.731{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CF530C39BD9B71078F1A4382E0DEA1,SHA256=544DBD1FF6F383823AE20C4CD12196687DE43D023C7F4EAC22FC725CFC224734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369705Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:53.356{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A9EA497967AA38042E41EACD68B22851,SHA256=466068DACA7BA478D6628F2385A49B7C2367412FE0B482144B7E04ABABC3A3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369704Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:53.356{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2C3EB7656A59093CD9A4F1DB2FDF8590,SHA256=2D4BD16108169ADC4FF0C6648744897E5904875EC8D4F227E8BC5F2393AE04F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369703Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:53.231{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84FBB0CBE0E8A55F3C2CD454655445FC,SHA256=21B30A259EE6DE1AD6027319E2EE90FE11243B0F20D3D780805DB7A0279A0891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369708Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:54.747{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AACEB30F106DD0E593061067A259242C,SHA256=B3F8752FAA6EEA850CB9F98E995E9F4924F9B0EA2A35882C3A622D70D183A3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323244Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:54.781{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6C2C691B9360B116B30F662D1EBD55,SHA256=93998B0AC757E90E7A115C68560CA56E2A5425E6B2C22DAFF1AD03FB32282093,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323243Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:51.803{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49959-false10.0.1.12-8000- 23542300x8000000000000000369711Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:55.778{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7501DE23F57A04CD6BF40513BA6CEC3,SHA256=5928366C65DA892ED0B8D1FC52CD0AA50BDBC702166DBBC7D37ADD78862B96EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323245Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:55.781{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F1F17AE135F4990DA6756ED8BEAE86,SHA256=9370F2408D9EFB08ECB49B76A2AEF82C2CC0CDF6261F892847132E472404ECFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369710Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:52.582{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-27341-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369709Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:55.403{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C46FF909A08F96C5115C8CC7F014DE0,SHA256=B5D65C8FD23AA144175D7B49CC1E8771BD7FCDE8D321B6134EEDD00C222A1195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369713Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:56.778{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201E76D3CBDC95C2A46A866EAD1F2E05,SHA256=137D11CE895ABC0BB0C162F888442AAC07C2DB25BC7BFB45BAD55BAA017FF436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323246Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:56.781{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA93F4C566C23567E93EF585D6330E0,SHA256=9C573F46F24F3C97A25940AC8CAB2F0E93F393ED3D667FCACF893382C17588E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369712Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:54.682{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-35391-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369715Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:57.950{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=422691E612A0780886D987D8D8DE023A,SHA256=7053F44AD7E0B26C9B60C30CBDAF45E641757DC70BA52AD2D92BB3FF27500CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369714Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:57.887{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580DA5AABB29FAB0EC23A0C429DA37B1,SHA256=79B55AF8391F3A4831448F8F209480670E257D89E04264C6FC4FCB59C6B26E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323247Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:57.780{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8E896236162416D88489CE3AD45702,SHA256=BB69B703D8CDAA27B382FC16313BD7231D4FE2CF7281456B538DA32C979CCE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369717Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:58.887{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF76E402B318F9BDFBB7AAF129313C1C,SHA256=536A2FCDDA32FC43323DD0297D09435887F9B44E65783B34DEC19FA2CA03806C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323249Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:58.780{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F37628411EFA93B85CCF5DDD3FA21F,SHA256=086AFD77FB57BB87B5BC2C9DBA40D2EFC3617F1B2D5FC887D0E9FC6C2515B5A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369716Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:56.112{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58851-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323248Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:58.519{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-017MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369719Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:59.889{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CF275269DA706F70C412CF796C23FE,SHA256=5CD01EA035821F268AC58C59114E30D7E5F9CCC87FEDA1D5FFA49247B5EDCA40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323252Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:59.795{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B6BA3058BEEF5E19CF30D63D1C6E2E,SHA256=79E3E9B0B7CEA02939A140A24DBB5B0E693960732765954E61F777DF9FA49C44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369718Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:57.424{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-44862-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323251Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:59.532{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-018MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323250Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:57.618{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49960-false10.0.1.12-8000- 23542300x8000000000000000369721Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:00.920{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083553AB1A65720D4EC5445DB7F195A8,SHA256=270488C5B559ED07FE9CAF5771B0A1584815B57C95F4A9E84E9137861539FCBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323253Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:00.828{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1A4EBD129AE0D0AB574DBD2EC56677,SHA256=0E82F7DED774806B6B0A2C62CD06BC0F4403DC64AF37FE7C15D6109CBB0FCA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369720Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:00.342{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFC420DF110CCDABDC0B9978BF83E24A,SHA256=561B93DC5F85FD4A47EAC12E1CB532A567CB7A73C349A36C84368692475115D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369722Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:01.936{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DE12A12899E2354361364CC7DD1F27,SHA256=E54533719E3D0D146302E5E072434EAAE9AC35F98B41D5CC95DC0C1F196E73D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323254Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:01.843{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC781DBC435C15BC11CCB80EE6F6D10,SHA256=ABBA0ACC1A090551954C9651DECEE985F100084AD29980146963D8126D9EA266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369730Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.936{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493C07C5313D68BA35250522BD0E879E,SHA256=FA12021CCB90F06438A0DC99540D3DBD8B2CA30FB2A4F9D957E1427AC1D4D7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323255Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:02.843{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF650CCA78D037AF0406DFEA01AFC3E,SHA256=9E8E53F9E74D1036E6DF0D4C8266D88C311A0D850C1EE9E8FFC01FF3895F098C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369729Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.717{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369728Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.717{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369727Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.717{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369726Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.701{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369725Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.701{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369724Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.701{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369723Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.701{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369733Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:03.951{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D620F351205CAB282F28405DA855B5A,SHA256=4887EA3BB72A856D24DE5718135BB0FF60EA87581ECF9C3C4350F37F07CF208A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323256Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:03.842{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77FF709B83C43BF56BFDF626DA3AD91,SHA256=32C6AEDCDEE99BF54F341566043275F62504D73E2EE8EF0D9F7666D353299F3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369732Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:01.301{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58852-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369731Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:00.901{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-54007-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323258Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:04.842{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF29CB48F5958D3BCFD93BC5AADE666,SHA256=9024283D7043AD7C3009C955400389870FEAF965A38C0C998645B725E10D25F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369745Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.952{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A10736AC7E1276F2DD1AB4DD652B50,SHA256=6F3E400E24867560319A153D72E51C2F6AD928C6C4F9373A15C4C65BCF12FF5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369744Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.598{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58853-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000369743Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.598{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58853-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 10341000x8000000000000000369742Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F1C-619F-5401-000000000F02}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369741Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369740Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369739Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369738Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369737Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5F1C-619F-5401-000000000F02}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369736Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F1C-619F-5401-000000000F02}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369735Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.421{27B459FE-5F1C-619F-5401-000000000F02}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369734Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.170{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=126F93F1234AFFA147EAF4BC847E6281,SHA256=479DCE45C5749C17DA9CCBF70B2B1B4A7CBA9D6241CE1115D3AB140DB9DF13E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323257Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:02.665{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49961-false10.0.1.12-8000- 23542300x8000000000000000323259Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:05.857{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D03010623FFBB78703D4541310FC943,SHA256=114B348640B705BC4F390888776CE74E0945BD6CA78203265DEDBF898BAD9FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369756Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.967{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A9C860060C87565C790E4749211E76,SHA256=23813CE9DB17D5C2918DC023BE0A0205947A8CA0CD2A66A90A7B2F76DD0A64EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369755Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.655{27B459FE-5F1D-619F-5501-000000000F02}41805588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369754Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F1D-619F-5501-000000000F02}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369753Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369752Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369751Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369750Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369749Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F1D-619F-5501-000000000F02}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369748Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F1D-619F-5501-000000000F02}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369747Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5F1D-619F-5501-000000000F02}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369746Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.420{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8FBDB00FD239760AAE3C01330CDD0E2,SHA256=26EED488925FE5E952CD90A664435C5BD6DFBC1677628669447CD08F89D82BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369766Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.967{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D761B4CD8395F1825B7DEA5EAA7BBE6,SHA256=2A53DF4F8AF22B8D2E7FDA319BBD896525D00BFD8A91CA6D0F7A68DBACD4EE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323260Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:06.872{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB38EF1B719848AE7394406E478D4664,SHA256=00728F3A97BC5931E6E9FB610618EFE6012384252A4F45EEB40219057C28E72D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369765Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F1E-619F-5601-000000000F02}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369764Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E634973FB9F386E50F000003BC2AB1AE,SHA256=FB0C45A327769EA6EBEA0D1C1C99D9FB1B5F1908ED92841A58A72CD8F15B60B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369763Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369762Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369761Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369760Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369759Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5F1E-619F-5601-000000000F02}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369758Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F1E-619F-5601-000000000F02}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369757Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.468{27B459FE-5F1E-619F-5601-000000000F02}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369769Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:07.967{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01472B5FE9A926D68576EF0C4030A2D8,SHA256=4E0DFF25C10F021CF35BC4AC1BD0195D3637B082AD9224EB3B5C8957B0CFB8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323261Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:07.872{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1C8FDBC69FC46F54FA175AB2EF8CCD,SHA256=B30A87DF6A73D3CBF2EF45BAC9AB750AC24764AB911BB59894EC0EE0380930A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369768Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:07.483{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E75A1D8BFE0E20C51F1F580D47CD1999,SHA256=EB7EF7D7125B1809BBF84A430CD480001C41BBA2C4E02F096BDA7E4F00B5F5D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369767Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:03.576{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-3452-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323262Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:08.887{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82122A6A61EF8C17D8AE4C22AEDD87E2,SHA256=36E9C5CCBCF62A7DBE93FDCA5F5AE070AFB792C6136D6BE03501050FE7DA80D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369785Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.905{27B459FE-5F20-619F-5701-000000000F02}47442700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369784Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369783Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369782Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369781Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369780Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369779Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369778Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369777Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F20-619F-5701-000000000F02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369776Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369775Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369774Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369773Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369772Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5F20-619F-5701-000000000F02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369771Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F20-619F-5701-000000000F02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369770Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.546{27B459FE-5F20-619F-5701-000000000F02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323263Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:09.933{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB4903509B7A1E3513DA4E5C76C7880,SHA256=31F963DE136DE53BA2F549433DC08C012A1CA32810E1A99FA4F0CC1DB5EDF2EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369796Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.327{27B459FE-5F21-619F-5801-000000000F02}35245948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369795Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B47185FA2820A211B379ABECD66765D,SHA256=458C31A8D780B27B2F17F867B1A16B882139E7C8C994DAFA0F4D5D85E2A600AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369794Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F21-619F-5801-000000000F02}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369793Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369792Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369791Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369790Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369789Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5F21-619F-5801-000000000F02}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369788Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F21-619F-5801-000000000F02}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369787Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.141{27B459FE-5F21-619F-5801-000000000F02}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369786Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.999{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006E32367857AF6FCADB912AFF751D9C,SHA256=AB265C2598A3F1C75F95EC45489BE42016AC2BF3E78EABFEE6228DCF14D9530F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323265Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:10.949{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A79428C4761C2D8F8BB33ABA953BA4,SHA256=79050C7BD8B2B49B3D875EDEE95EB8CAA1C95A1A9422248A49128318899BACC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369809Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.670{27B459FE-5F22-619F-5901-000000000F02}40645936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369808Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.358{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F22-619F-5901-000000000F02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369807Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.342{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5F22-619F-5901-000000000F02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369806Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.358{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369805Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.342{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369804Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.342{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369803Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.342{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369802Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.342{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F22-619F-5901-000000000F02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369801Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.093{27B459FE-5F22-619F-5901-000000000F02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369800Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.139{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFEE69262C6AEA0FA520EF325A2843F4,SHA256=46E64D020E2F80233C7F073489151257F0BFC1059EC4A4430E2D332BCFA7DBA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369799Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:07.160{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58854-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369798Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.341{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-11805-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369797Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.014{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37B3DB24F433D8EFD62E272574BEC5E,SHA256=B37E76816DC5BF4F95D619457256854C631CAB4BF2C18530A8C721A6EB4F8DFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323264Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:07.790{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49962-false10.0.1.12-8000- 23542300x8000000000000000323266Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:11.964{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCD0BBD7C9C8A71B748061E5F131830,SHA256=B4786F925C0BC7D20E3DBB8C99C40F5F29133BCB5B1C31E80C19C1BE793918ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369812Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:11.639{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=704CD5110F0E3BE4F2D6420B92F1EA72,SHA256=04418A6DEF22EBBEA80644A4F9BD723A618C98710AA03B469832070D41B6493E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369811Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.472{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-20413-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369810Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:11.014{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4291D41814C2D1E76EFE54956F94CFE,SHA256=F466D5DF57FD7B10B20D03FDA912FE950A1AFEA6AC18AC37944103AA9D197390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323267Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:12.995{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD980E1828D2CDBC36483BCC7F6ACF7,SHA256=BB9E93B1A072C63D2442ED435AC07B6FA1598D85404372837C596C7B593A04D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369821Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F24-619F-5A01-000000000F02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369820Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369819Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369818Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369817Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369816Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5F24-619F-5A01-000000000F02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369815Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F24-619F-5A01-000000000F02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369814Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.062{27B459FE-5F24-619F-5A01-000000000F02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369813Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.045{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4402C5DF5EA0BFD0B6119BE5E6D664AD,SHA256=3460446F637F79CBCE10BDE1122BCB07B96D01E5D59A287679884CBE49175359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323268Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:13.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D456229F98F0AEB8323D7B50374B6E,SHA256=29C9343E5A2DA2C19AA23F5667E9E88A11DB3A2504076BC152EE80A6F1D9928B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369823Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:13.061{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF8C7A71F3758376A0464BE6EC327FB,SHA256=142E9AB765DAE3631B251713DCF18845EE0CD135DA6735DD5CC3441003F3495A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369822Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:13.061{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8C91AD830DC73853D7CE59892EDBE4,SHA256=BB3D8C05903C87B853515A5A823A7DC76F18651FA244EE2C75BADED2F85739B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323269Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:14.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EC24DD489ED9BD4466A05923DC6E24,SHA256=6B0FE2D0BC86109985546F90AC90ED816527A1342A494C991A3DA581DADD99A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369826Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:14.639{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369825Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.901{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-29339-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369824Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:14.061{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553C2BE20F21AC312BB6E1A41AA4A304,SHA256=C5ED4AB5CBA3BCC26E2A368097D0ECBE080E23624745545D1E01E5AECC9ECB6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323271Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:15.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AE875F17E41D16FA9CBD07A181A837,SHA256=976589DE0DD35908D33CCF202E5B1DDE5F5CD39DA3A5F603D426BA6934F9A6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369829Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:15.827{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC79F843852774D76C606C525AFD1210,SHA256=84D3F8A80955E61E6DAD31E6BB2F028139BC3DD66E7C146421B54E007D73FFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369828Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:15.077{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6EAFF6A38E1FE5E1B624C61FFCE9F84,SHA256=4F39260E1D9F00B8DE2E5127DDFFC121293AEDE7FB854AA9FCC8F86A33170F99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323270Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:13.775{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49963-false10.0.1.12-8000- 354300x8000000000000000369827Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.177{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58855-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323272Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:16.993{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E90CCAE43CEA43BDC19757394F75D30,SHA256=0605964DD1640512C14876DDBC3BEDB84333A44446CD69E0E4215EF1F94C863F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369832Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:16.296{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3190FE788E63AEB96A54B6C9DA02F9A2,SHA256=F1A97AA6FEB2ED807943561554B2BA347406256A030012F98FA88B704F5929FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369831Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:13.660{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58856-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000369830Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:13.034{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-37990-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323273Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:17.993{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F8927B0EF256EBD033600154C97DA8,SHA256=C65DCB6BB306474BCD91B43FCBD0DF220D2A61F8B9F2F932ADECC32F3F6636DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369833Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:17.296{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828B8F64ADCD602DD6BAC36FA6FC2A02,SHA256=E9E02FFD4F6DE959A298454DF79910A094F0E13DD277F70131FF7CC42B3CE23A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323274Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:18.993{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED56614895BFD6BB85D674ADDF00B08,SHA256=C9DF5E04F99651A518827443A851811D0807E286AD470E80F267B947D1707C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369837Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:18.647{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-017MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369836Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:18.360{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9D1532900D55C83BDDFFBAAC7864580,SHA256=3610C29D837AFE063DE3974C5D3A3DA59D02AAE372FE6B92B70DF66A515213E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369835Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:18.298{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28C37754BD9BA5F43ED5595118B3504,SHA256=2F7031B24BC1AC2685E43BB1A7681319DF64758F3C4E987F943225A3FD660F79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369834Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:15.099{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-45518-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369839Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:19.647{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-018MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369838Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:19.324{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A18438C7F6FB56FE4C5E5512380FFE3,SHA256=D25494CB158276B9BDE2F74CD123909B2F2203CE79D68220DDB187DA0970D169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369840Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:20.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8643573C5B52AB46D74D87717242C18E,SHA256=1F5A2EAF483D2597FFC05CC34971DD9B1E22BB470007326093F90AD391A721D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323275Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:19.998{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5B04094083EABFFC5E3D2B184D6966,SHA256=5065C35BCB0D9603BB9DC7CBB8F752704EB8E8900B73196C0641370261BFC502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369844Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:21.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFD24E1BD3C38CBC22BDCC3BBBAAD49,SHA256=A08D50A94675C545C66CB96711E9104FFE4E9AD54F41F5B1864E7102F8AB0535,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323277Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:19.781{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49964-false10.0.1.12-8000- 23542300x8000000000000000323276Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:20.998{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3618237A420DD324FF416A9A705FDFCA,SHA256=578870A47ECFF44FDEE647267303FD880B4AD28A0EB5E4962F8B75B5F3544AAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369843Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:18.157{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58857-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369842Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:17.602{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-55591-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369841Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:21.133{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EDFCE96AFD92EFFED8DDB3EEAA4C1F8,SHA256=A5AE3E80715412DB7F24AF9881B2C848049C0D1D06A1FB14C11A6FDC9878F340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323278Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:21.997{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BD4165FF64B1A5D30359F4902CE289,SHA256=9A1759CB70D54C443D969BD21B01F507A00007ABDCCD4AA272EDFF30073993BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369845Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:22.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C991EE76B0FDEF8125ADEDEE82C2B664,SHA256=69414FA2DEB7EC9F0D7F24230FE9E95273DDEDAB28D3B5AE29BA76539BBBC946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369847Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:23.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1409A556249E861D806C6F6323EC424,SHA256=DD5217D38FE1BD7670746223C32D561F5AE0A34C55556697828EE3F2CB7049B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369846Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:23.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383B3A3529B0CB4CB2DB998AE35551E8,SHA256=512109851EC3331445E35D499C7697581A2837DBD4EB8B39E08E3B920FE67E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323279Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:23.013{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89872422235FBE550CBE130BE00E2DA7,SHA256=C084F2817667B12FC7E46A5930012F045F0220217A5940CD0E214665CB434A1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369863Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.461{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369862Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.461{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369861Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.461{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369860Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.445{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369859Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.445{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369858Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.445{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369857Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.445{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369856Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.367{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CE336DB6B5160BDE526B95035AA427,SHA256=BC514709B763FEE3BF45412D894D8510DC9BED4814BFA9D61B492F051DB09C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323280Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:24.012{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7155FC58A784E172EAEC7BF61F066C,SHA256=7C19810517168232804A26B9975F6F927CC648FBCAAA3B3ACC08C98073EAFC72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369855Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.336{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369854Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.336{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369853Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.336{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369852Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.336{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369851Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.336{27B459FE-5C01-619F-A300-000000000F02}13443148C:\Windows\system32\csrss.exe{27B459FE-5F30-619F-5B01-000000000F02}5284C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369850Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.336{27B459FE-5C05-619F-B200-000000000F02}47484988C:\Windows\Explorer.EXE{27B459FE-5F30-619F-5B01-000000000F02}5284C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000369849Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.283{27B459FE-5F30-619F-5B01-000000000F02}5284C:\Program Files\Notepad++\notepad++.exe8.192Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\1.ps1"C:\Windows\system32\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=40BE20589D819C3C9A40CC6F0D730560,SHA256=69652BC3169A746975C9BE917E80F4573BFC6E35844BCCC2AAE2621D9FF573A2,IMPHASH=3BC3FD4C1203B4D6795EAFD8E6CED030{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000369848Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:20.386{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-6865-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369866Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:25.492{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A5C98087CD69C40F09C86ECF063066,SHA256=F82B514AC678AAAE4E171068946859999E2CD11E23DC8F3B438C05087AFCD158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323281Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:25.012{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCF630E15801397B604D5160F25B672,SHA256=809B13AE61EA1D3CFC1E54B4AB055D94573C0527DEB31E73868B9FF81233E4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369865Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:25.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A97984485F36BC98AEBB4028FD0258D,SHA256=149555880A0C8013025ECBBA28D6FA773DCECBE5116F44E40060F33070B4855E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369864Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:22.605{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-15451-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369868Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:26.492{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07EB352E072732D2927B8298CB8DA470,SHA256=B6891B6400D589E34D61695CFB1A737E427C421172C1084DFE1779A942A31413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323282Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:26.012{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3879C9A7209BF8F2ADA8F6D8D79881BE,SHA256=781226521226FDE9B3007A7476B2E50039265AD9DE71634920A03F03B366F717,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369867Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:23.200{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58858-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369877Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.867{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7584EB52F5C636DEFD7D926B6DD79436,SHA256=840062404C7FA8B9CE83DB7417BEB35D3BAD943A6FF55FDDBBE35C3018DDAE03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369876Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.508{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871136794EDB1DFA6CCB24A73F48EDC1,SHA256=C89BF3EF6D6927F83D8036DB76F603D71674D14A174E44033778CDF1F59BE322,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323284Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:25.702{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49965-false10.0.1.12-8000- 23542300x8000000000000000323283Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:27.012{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787A01E291AE29195F4669FE4FDD920C,SHA256=D184F5AD9924F5E733E40565403CB80BE6476F64122E949341ADE1D30E523505,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369875Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.320{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369874Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.320{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369873Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.320{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369872Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.305{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369871Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.305{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369870Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.305{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369869Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.305{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369879Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:28.523{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C3ABE11EA78C3203A5E3FCF616E86B,SHA256=4C3297BD6DF2BCE8EE0A171AB114A3B5FC2D17711CBB15DAAD66994A854A40D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323285Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:28.011{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CFE504EB2799E4EFD153A8DD09E295,SHA256=522976E96D6F26D060DC2B223455C90584B0EDECDB1AC1191CDF223ED1FEC5C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369878Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:25.057{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-23719-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369882Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:29.523{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E99694B2901059FECA573ED8DFA6765,SHA256=D9EE57593387FE0383AD7FBAC9D7A9D34794590903A9B4551145F9329660D56E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323287Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:29.370{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4CF8514E38C61DFAD174D27039E1AB3A,SHA256=09B5E1665C4E5AC6589DA64EBFFCE4E0CD23D6BAB0135526B1E912DD91771AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323286Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:29.042{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BFE0CDEF492C691E25600CEB76DCAF,SHA256=BB12DB0440E7CA88FFE4DBA06AD2131053E15D7DBE88C55801134CD795077173,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369881Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.151{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-31735-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 10341000x8000000000000000369880Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:29.352{27B459FE-5E7F-619F-3A01-000000000F02}4176424C:\Windows\servicing\TrustedInstaller.exe{27B459FE-5E80-619F-3B01-000000000F02}5476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+7d088|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369887Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:30.523{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0323160E478EAAE3C98C6C809CE290,SHA256=E1D5F04E4C163162C1ED78D93ABDE30F22BBAEC0C31135DADF1955A67D43A9BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323289Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:30.198{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323288Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:30.073{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FF63D410EF4703B215B8CA96E6BF58,SHA256=6AAB977508FA350AF061887A1FF9B8EB04D9DEADBCB77B3ACBABD1D8A1A197EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369886Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:30.352{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=541E899F62D39CB0515890AC262698B0,SHA256=3135E5257771A2A4D5B65F2DD85FB7CD4B057633132E71E8A9BEA71D89C0DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369885Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:30.352{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A9EA497967AA38042E41EACD68B22851,SHA256=466068DACA7BA478D6628F2385A49B7C2367412FE0B482144B7E04ABABC3A3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369884Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:30.242{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A4E46915EB748E3F41864C8417CE4BF,SHA256=EFB6C07994D1BE986ADAA9BF36511B82F0836C27F6CDAA17A1D5541F0ACAADB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369883Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:30.023{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=54E2C18DF7CFCF2A548A754F2065E88E,SHA256=1F805073BA3A80CA838C258E15E0623710C9F51E27FC0C908D807EF9274B2F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369889Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:31.523{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC8FBA421D0645DAB49ED8E82FE5BCF,SHA256=1A5237FB2151CA6144B6430B9CF9968535929918B3E23BB2425485343AD9A138,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323291Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:29.750{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49966-false10.0.1.12-8089- 23542300x8000000000000000323290Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:31.073{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA030212150819DB614BB77BF35F6A3,SHA256=8F0DF7A85432887662EE7913AF1DB8C876F6E23EE2D0E7E30BCCC778E64DA2A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369888Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:28.216{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58859-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369891Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:32.539{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28217D9CFF1F08A9990786B6FE2ECDCE,SHA256=88DD5F3502B6C4D9130ADB03E04104E7CDF3041E25944089A29E64CFA19790CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323293Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:30.828{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49967-false10.0.1.12-8000- 23542300x8000000000000000323292Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:32.088{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DD110E3A5B3A1472279A3787A5F180,SHA256=46D7BC7DD4327C187890D407C2A56EB8012005EB9308887C055E347CBF159329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369890Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:32.352{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1008F046102164CB2AFA42728B14AEB,SHA256=991606D59E7B74B9E605DD1DD6014675AC975FFBBFEFB5CFBFEFF230F23B7589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369894Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:33.570{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0B5C14BE73FC72CB78262B281DB97604,SHA256=2782028854500083F29F0925C01C99ACADBF253F5144187F202D5EB1F9190714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369893Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:33.555{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DFEB79E594E7AB1A3C9A93A50C27B5,SHA256=B9BEE60F3A048D51510A16C97C6D0FA31AD184C3E6C81821A03FEEED8E4E3C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323294Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:33.104{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61390CBA82CFB4CA6D1AA3DCC76BC078,SHA256=36F199176EF7FDEB20AB60DE12AFCC3628E8742AC0A5412BC87213D160CCFC82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369892Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:29.434{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-40103-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369896Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:34.586{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE779C3D52229E7A6D2DF3CECF158267,SHA256=C341624DF4D5CFDCCE392825ED05A6AA74176F1B36171BC0BC2B4BD5643687DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323295Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:34.150{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38233F1D2069097E9704E711FDA339AD,SHA256=25CFCC947DFDF4399EFEED71428BC55C9EDC2798E867A3165C5E8E1DC2B31C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369895Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:34.399{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2224556229BF17A75695A0F63DE3155B,SHA256=21E1E7C28959C7FC638649821C6EDDCA000843EB2A2D7B632AA3580288584F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369898Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:35.586{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C716BAB17F344301357E3D916A7D2527,SHA256=245D590B8291B060B244CFDFF76FE50164560E8CE37B1E66B76D13F43FA68CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323296Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:35.197{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0A72E2B5B076843C39611810559532,SHA256=7B0576CB2586A132BD53768DE71E5CDCBE63E8E0167DDA2F83F3A8D023A1BB86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369897Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:31.903{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-48842-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369899Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:36.774{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AEC132381E3A0CFF9576FB3A994DDD5,SHA256=FEA0D43798004F182EADE506043BE4EFF6E9F57E195CB2B08D8A2220E7CA751E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323297Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:36.290{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD337927AF20A883FA5518C69F8DFA5,SHA256=245FC27AC71ED9B0479769878E79BB046E64D75914776BB6C5587131678BD10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369901Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:37.789{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B013831B319DDADD3AD97C554EC7D5,SHA256=594F6BB241707A3A42564D8F7D242A73D57FEE8832AA9E89C973EA32F9487E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323298Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:37.321{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA78124CFFC39891B8B4C07320495F8,SHA256=D3733F529ABEC5C72D59EE7ED1E7743C27EB1E8BA546505CE516B30011720959,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369900Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:34.216{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58860-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323299Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:38.383{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FFF9F6C637DDDAAE6EBDAC2696A41C,SHA256=7175207CAAB843D726ECED37ACBF334C8C6F85DECA8787363DCB589570962620,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369933Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.790{27B459FE-5C04-619F-AA00-000000000F02}42444260C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000369932Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.790{27B459FE-5C04-619F-AA00-000000000F02}42444260C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000369931Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.790{27B459FE-5C05-619F-B200-000000000F02}47485116C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369930Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.790{27B459FE-5C05-619F-B200-000000000F02}47485116C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369929Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.760{27B459FE-5C04-619F-AA00-000000000F02}42444260C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000369928Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.760{27B459FE-5C04-619F-AA00-000000000F02}42444260C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000369927Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.760{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000369926Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.760{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000369925Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.760{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369924Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.760{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369923Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.742{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369922Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369921Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369920Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369919Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369918Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369917Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369916Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369915Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369914Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369913Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369912Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000369911Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000369910Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000369909Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369908Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5C05-619F-B200-000000000F02}47486028C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369907Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369906Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5C05-619F-B200-000000000F02}47486028C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369905Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.696{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369904Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.696{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369903Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.696{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BAA0C04CD904C6D8F924578DE835A8D,SHA256=4779441C7C72421F62B7F3168BC8A63EF34EF007581000F6ECA4CD8191DB618A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369902Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.696{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=245DF3024708E27F86E9F1430DADE601,SHA256=3F992A966754AC053CA3BB5D2A6FD799EF72115213AD9721E036496F116A9693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323301Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:39.383{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70C7E6B0B79BD7F60CB6281A4B20B77,SHA256=6E7CCF2BB4630E0571F7290A91F0F4895A6CAF980991D62E61E396489E516BFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369970Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.995{27B459FE-5C04-619F-AA00-000000000F02}42444228C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+131ba3|C:\Windows\System32\windows.storage.dll+130e1d|C:\Windows\System32\windows.storage.dll+130d31|C:\Windows\System32\windows.storage.dll+130cca|C:\Windows\System32\windows.storage.dll+9ba99|C:\Windows\System32\windows.storage.dll+61d16|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466 10341000x8000000000000000369969Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.995{27B459FE-5C04-619F-AA00-000000000F02}42444228C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+139883|C:\Windows\System32\windows.storage.dll+9b910|C:\Windows\System32\windows.storage.dll+9b867|C:\Windows\System32\windows.storage.dll+9ba37|C:\Windows\System32\windows.storage.dll+61d16|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a 10341000x8000000000000000369968Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.995{27B459FE-5C04-619F-AA00-000000000F02}42444228C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+137543|C:\Windows\System32\windows.storage.dll+61dd5|C:\Windows\System32\windows.storage.dll+61cf8|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000369967Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.995{27B459FE-5C04-619F-AA00-000000000F02}42444228C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+61da9|C:\Windows\System32\windows.storage.dll+61cf8|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+13225c 10341000x8000000000000000369966Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.980{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+e5888|C:\Windows\System32\windows.storage.dll+1a3c19|C:\Windows\System32\windows.storage.dll+1a3a75|C:\Windows\System32\windows.storage.dll+e65e6|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000369965Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.980{27B459FE-5AC2-619F-0B00-000000000F02}640680C:\Windows\system32\lsass.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369964Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.980{27B459FE-5AC2-619F-0B00-000000000F02}640680C:\Windows\system32\lsass.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369963Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.792{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF819AC3F14FCF7B919C0AAE0BDF4D7,SHA256=CDBF0C708CB8801FB5B883EE264B73F9C8C16C4385D58DD1F4F8C37B0E1E93DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369962Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.573{27B459FE-5C04-619F-AA00-000000000F02}42445136C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369961Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.573{27B459FE-5C04-619F-AA00-000000000F02}42445136C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369960Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.573{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x8000000000000000369959Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.227{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A32CFE3EF4B3E407632786716F10E76,SHA256=937044AE2093892FA1B48372409629E0196AF70EAE55C9B84772CB2D081F6AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369958Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.196{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358C28C0AF735DDB78291FD82E21E403,SHA256=EA26FFEFEC4A4C230BFCD07E86D8CCB9F982E38141C5A771673FC6C4FE4535E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369957Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445136C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 354300x8000000000000000323300Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:36.719{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49968-false10.0.1.12-8000- 10341000x8000000000000000369956Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42443440C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369955Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42446140C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369954Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42443440C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369953Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42446140C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369952Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445136C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369951Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445672C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369950Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445144C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369949Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42446108C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369948Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445672C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369947Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42446108C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369946Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42446060C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369945Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445144C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369944Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445336C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369943Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42446060C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369942Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445336C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369941Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.071{27B459FE-5C04-619F-AA00-000000000F02}42444260C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369940Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42445876C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369939Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42445276C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369938Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42446100C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369937Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42445724C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369936Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42444064C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369935Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42444280C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369934Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42444264C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x8000000000000000370024Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.792{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5B27F61903E8D2CBD69D7270D8F0AA,SHA256=8818BFF91D7D658EEA770DF134A833A09B816BDF023A70B0C481F168D3102BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323302Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:40.388{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8399E5DFE70DC06178C4E61256611AF3,SHA256=C2F02FA9A4C9F5969BB3165A629D14E9EBF6983A9C5F05F97BB7F61E7AF49D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370023Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.776{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BAA0C04CD904C6D8F924578DE835A8D,SHA256=4779441C7C72421F62B7F3168BC8A63EF34EF007581000F6ECA4CD8191DB618A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370022Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.464{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000370021Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.464{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000370020Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370019Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370018Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370017Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370016Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370015Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370014Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370013Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370012Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370011Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47484616C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370010Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47484616C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000370009Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.014{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-59358-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370008Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.198{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54D26470EEFFF3AC8213F1192B855B7,SHA256=642BA8980C5E6085EB26D16CC57EB6BB09149856BE398018C992EE09788CBD62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370007Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370006Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370005Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370004Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370003Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370002Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370001Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370000Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369999Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369998Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369997Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369996Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369995Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369994Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369993Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369992Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369991Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369990Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369989Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369988Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369987Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369986Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369985Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369984Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369983Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369982Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369981Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369980Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369979Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369978Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369977Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369976Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369975Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.026{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000369974Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.026{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000369973Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.026{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000369972Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.026{27B459FE-5C04-619F-AA00-000000000F02}42444228C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+2a3075|C:\Windows\System32\windows.storage.dll+75263|C:\Windows\System32\windows.storage.dll+752da|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000369971Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.011{27B459FE-5C04-619F-AA00-000000000F02}42444228C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+2ca532|C:\Windows\System32\windows.storage.dll+13b515|C:\Windows\System32\windows.storage.dll+74b46|C:\Windows\System32\windows.storage.dll+2a2fd7|C:\Windows\System32\windows.storage.dll+75263|C:\Windows\System32\windows.storage.dll+752da|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466 23542300x8000000000000000370025Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:41.792{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C245A320682C626D83FBCCB2E782B72C,SHA256=E3989075F5AB570FDAEEEF562EE73F4C5680398E32482CDB55F869FDE1C59D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323303Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:41.388{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2AA5D4F6C7477C0DA974F8E2DEB0A30,SHA256=2F8DB010E0CFB34D7DA769DE433243667869E70BEAF326A5E3A918EDB868D5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370028Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:42.792{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A81DD99982951647DA575A7A7F5D639,SHA256=A3B81EA7C6D385C7B135B7719564026A82F03E07DB44161A63EAABF364E1CBEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323304Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:42.403{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADFF61C6F1C84444E66970EABAAC599,SHA256=E55A8B0CD2EB5B2921F8ADF373EDB6F676FAD0F1717DA64F97170D956E448A6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370027Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.203{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58861-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370026Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.997{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-7477-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370031Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:43.823{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455955AC8EB57D20C7B23B95C3808BE0,SHA256=3F05A55E05A0343C75DF58F754CCDE3DCACFD8DF3B6C58935885BA625ACF5DB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323318Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F43-619F-1A01-000000001002}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323317Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323316Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323315Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323314Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323313Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323312Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323311Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323310Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323309Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323308Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F43-619F-1A01-000000001002}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323307Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F43-619F-1A01-000000001002}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323306Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.732{99D2EDAA-5F43-619F-1A01-000000001002}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323305Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.450{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39463A62CBA2D5D48128DF2393D28A8,SHA256=6F014D4745435CC8E179EC9424631C50010563F2022270AD09238BF0BC70F345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370030Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:43.120{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=403F0EEC0E48E70F7801D0E9604287DA,SHA256=16192B4AF5D68F9DC0864809DB2135B6F3E6F91B7D4A9FAE1C1F125D3EEC9B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370029Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:43.120{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E8B843DED71DE6E508514F8BDF6AB13,SHA256=B05330DDD81987B8270F2AEB24ECB0AB148CE91F72DD7A240FAE6247DD371A7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370032Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:44.839{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3746E777DF7662FED541C6BFB7EA2C5D,SHA256=966784050824321D306956D337A5DDB743BC1EED159F7225FCDDE8D3CB310638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323334Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F44-619F-1B01-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323333Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323332Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323331Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323330Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323329Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323328Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323327Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323326Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323325Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323324Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F44-619F-1B01-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323323Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F44-619F-1B01-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323322Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.888{99D2EDAA-5F44-619F-1B01-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323321Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.731{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A884030362072875741D7DD15AFF7D2F,SHA256=1589A1CE24D158CC08387A9D6DF06922372F53B914035404B4F086D52FF495C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323320Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.731{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A106C1B4259B0250DAC0A14E664A8B2,SHA256=6C077E6181AD6E5A3FC23DDF7216A54C73C072DB1EA2DEBA1998FB110D0E24C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323319Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.449{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8764B6208E1F0D9A988151EF13B5DE1,SHA256=06C6ECB9ADFEC313D5C960B66E2666FE51EEBACCEA8093A1794490DA8D7D995C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370042Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.839{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A496CB2F5CD8AB9B21E658E2C031AE,SHA256=6AFABC630E0C513D5B62DDC73F5FA1089AF59453B2CE068B43CB2BB39DC1BFB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323337Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:45.449{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C34E06726A53BB10D1BD016AFE3C9D4,SHA256=F949C5410B2C929EC3D963768C505CD7C53E192F22F0C36D919486741FAF34B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370041Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.792{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370040Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.792{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370039Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.792{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370038Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.792{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370037Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.792{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370036Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.792{27B459FE-5C04-619F-AB00-000000000F02}43364660C:\Windows\System32\sihost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370035Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.745{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370034Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.745{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370033Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.745{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x8000000000000000323336Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:42.661{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49969-false10.0.1.12-8000- 10341000x8000000000000000323335Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:45.059{99D2EDAA-5F44-619F-1B01-000000001002}2856956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323352Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.465{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610A9F12F0C77B1348A15883147FB359,SHA256=03C63C4A58AA0C8C8814888FA7C6B6C250D0F99BC116105249E32CB630EAE58A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370067Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.261{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370066Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.261{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370065Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.261{27B459FE-5C05-619F-B200-000000000F02}47485116C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370064Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.261{27B459FE-5C05-619F-B200-000000000F02}47485116C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370063Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.214{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000370062Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.214{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000370061Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.214{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370060Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.214{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000370059Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.152{27B459FE-5C05-619F-B200-000000000F02}47484616C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370058Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.152{27B459FE-5C05-619F-B200-000000000F02}47484616C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370057Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.136{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000370056Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.136{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000370055Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.105{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370054Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.105{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370053Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.105{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370052Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370051Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370050Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370049Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370048Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370047Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370046Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370045Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5C05-619F-B200-000000000F02}47486028C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370044Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370043Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5C05-619F-B200-000000000F02}47486028C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323351Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.105{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A884030362072875741D7DD15AFF7D2F,SHA256=1589A1CE24D158CC08387A9D6DF06922372F53B914035404B4F086D52FF495C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323350Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F46-619F-1C01-000000001002}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323349Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323348Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323347Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323346Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323345Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323344Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323343Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323342Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323341Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323340Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5F46-619F-1C01-000000001002}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323339Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F46-619F-1C01-000000001002}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323338Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.059{99D2EDAA-5F46-619F-1C01-000000001002}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000323367Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.714{99D2EDAA-5F47-619F-1D01-000000001002}9402836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323366Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F47-619F-1D01-000000001002}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323365Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323364Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323363Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323362Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323361Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323360Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323359Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323358Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323357Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323356Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5F47-619F-1D01-000000001002}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323355Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F47-619F-1D01-000000001002}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323354Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5F47-619F-1D01-000000001002}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323353Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.496{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEFA5DD954BE1BCA456FEE1EE1440CB,SHA256=18B9C35DBDAA21A94006037A59059F57CBE6005551AA9E1E2769A5E003E41303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370069Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:47.933{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80AB09ABE9663FC3C5BFE1CD0EB0F0C8,SHA256=66B507600CC5F5E89E56D8E062FC0231D7FD03B792A4D9E2A59E061823633B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370068Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:47.183{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455FC03DA86DEDDB0E3F347AC84696CA,SHA256=376AB2D111C53D82E4C78C8FB199143EA943ACB7FBF654ACD63637AEE90B9523,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323383Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.808{99D2EDAA-5F48-619F-1E01-000000001002}352348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323382Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.683{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8577C058BA021889EC779183AF66FF27,SHA256=522E10E7D589538DF5A99B428F830038B969D0A81922713248F59E2E0441BBD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323381Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F48-619F-1E01-000000001002}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323380Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323379Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323378Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323377Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323376Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323375Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323374Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323373Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323372Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323371Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F48-619F-1E01-000000001002}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323370Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F48-619F-1E01-000000001002}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323369Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.637{99D2EDAA-5F48-619F-1E01-000000001002}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323368Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.495{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1080172BCC1F08F3961FCA3E03A9818C,SHA256=E0921F12F645F09073D5329DA9A5A1757854CCF0DC38067F3FB8976310E01161,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370092Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.964{27B459FE-5AC5-619F-1600-000000000F02}12881944C:\Windows\System32\svchost.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370091Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.964{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370090Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.949{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370089Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.949{27B459FE-5C01-619F-A300-000000000F02}13444544C:\Windows\system32\csrss.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370088Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.933{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370087Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.933{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370086Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.887{27B459FE-5AC5-619F-1600-000000000F02}12881944C:\Windows\System32\svchost.exe{27B459FE-5F48-619F-5C01-000000000F02}5216C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370085Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.887{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5F48-619F-5C01-000000000F02}5216C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370084Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.870{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5F48-619F-5C01-000000000F02}5216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370083Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.840{27B459FE-5C07-619F-B400-000000000F02}5088ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R31MDF37\microsoft.windows[1].xmlMD5=692316D91A25AF8B547C462994F398F4,SHA256=A1A6B3DB0E6701A3F69D479348C7BD3CBB3AFEE4BD4225AF550EBB6B28BBEAB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370082Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.840{27B459FE-5C01-619F-A300-000000000F02}13445396C:\Windows\system32\csrss.exe{27B459FE-5F48-619F-5C01-000000000F02}5216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000370081Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.840{27B459FE-5C07-619F-B400-000000000F02}5088ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R31MDF37\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370080Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.824{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370079Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.824{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F48-619F-5C01-000000000F02}5216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370078Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.824{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5F48-619F-5C01-000000000F02}5216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37396|c:\windows\system32\rpcss.dll+3df7d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370077Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.824{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 354300x8000000000000000370076Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.141{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58862-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370075Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:44.931{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-20258-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370074Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.511{27B459FE-5C07-619F-B400-000000000F02}5088ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R31MDF37\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370073Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.496{27B459FE-5C07-619F-B400-000000000F02}5088ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R31MDF37\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370072Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.466{27B459FE-5C05-619F-B200-000000000F02}47484852C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA5CC7)|UNKNOWN(FFFFF08320EA0351)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320E9FFD6)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000370071Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.466{27B459FE-5C05-619F-B200-000000000F02}47484852C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA5CC7)|UNKNOWN(FFFFF08320EA0351)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320E9FFD6)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370070Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.183{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A844A71E2A520D83992A2078E172F69F,SHA256=AF3236E15936EBC2F0E6943FFBC46EEDC7B2F229912DE8828A4D80F551DE9D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323398Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF35571259EFF5CE402B6AC07955EA83,SHA256=36E755A90BF330FC77CEE927D0E26259D34856A34AEA124692317A918FD8AE17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370111Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.863{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D37740FAFE10D1E0E9BE36DDB938ACE,SHA256=2829FD815777D1B6F745D0C1EA0333F1724D969FE074EE2CEDCD084400F1A21B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370110Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42444900C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370109Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42444900C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000370108Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370107Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000370106Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370105Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000370104Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370103Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370102Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.252{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370101Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.252{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000370100Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.248{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370099Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.248{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370098Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.248{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000370097Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.248{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 23542300x8000000000000000370096Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.248{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F435AA4A67295E581DB34C714818D45,SHA256=C5D5FDAAA4D6D4F9355ED7065C45DD5A357DB3837B1875A4C7D910408ECB8DF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323397Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.604{99D2EDAA-5F49-619F-1F01-000000001002}32401364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323396Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F49-619F-1F01-000000001002}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323395Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323394Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323393Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323392Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323391Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323390Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323389Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323388Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323387Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323386Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5F49-619F-1F01-000000001002}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323385Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F49-619F-1F01-000000001002}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323384Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.389{99D2EDAA-5F49-619F-1F01-000000001002}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000370095Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.108{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370094Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.108{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 23542300x8000000000000000370093Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.027{27B459FE-5C07-619F-B400-000000000F02}5088ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R31MDF37\microsoft.windows[1].xmlMD5=D5177F7FBA6E1A60FAE687905CE97B15,SHA256=C0FE9E1A6041D21165134BE18779E7C9DA7F09AB70B5D697368D88186DA85C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323413Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.964{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3C0C50E7A370A8E84AE5DC09931759,SHA256=B29A3A91EA7FB029B491523663F4685DA100559E742BF9E29270B5F9654C2EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370114Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:50.894{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8593A273683D5C9C1C86B4CBA8F32BA6,SHA256=78D30A52E4C61DC06EB05107D0DE2A2D26C571CE078284B535A6102279885BD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370113Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:47.302{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-29161-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370112Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:50.472{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B6162B320A314A47726EA5C6DB661F,SHA256=E96392082A02DFB300DE77F99758C295F857D669938819A800B4A9237178C9A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323412Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F4A-619F-2001-000000001002}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323411Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323410Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323409Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323408Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323407Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323406Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323405Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323404Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323403Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323402Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5F4A-619F-2001-000000001002}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323401Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F4A-619F-2001-000000001002}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323400Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.527{99D2EDAA-5F4A-619F-2001-000000001002}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323399Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.417{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B874AC6C35D425E06F7F608F98C7E456,SHA256=E1D561CE3D8B289D44409D16F9E466E5735A4C6B302226A97F07612677EC5FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323416Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:51.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89BD9BE0F20D6E2359799E5CC2030A1,SHA256=32736FC45498903319DE543608A5C2509C7740E680D016E96086F9728B4BC2D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370119Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:51.722{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370118Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:51.722{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370117Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:51.722{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370116Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:51.722{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000370115Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:51.488{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BB8B81C3ADA8AADB29990D1DF89DF1,SHA256=74F63C26E85AE8CE5AF445B7FB9507CFD8B51275E225E28E9FF1BA8DF8ED13D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323415Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:51.542{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50337E95F0EEAD72EF87645572148953,SHA256=FB0965D5119EBA60DE28F4A938006218450146E67F2A552EF7966596E9C16EFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323414Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.708{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49970-false10.0.1.12-8000- 23542300x8000000000000000323417Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:52.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84FDB6E75A8BF0A5D8764BA3AA5C60E,SHA256=4164B876C46FACB3C118682BEC5BEC3221E3DC0C1AEFCAFDDD75410BCC494D0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370121Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:50.168{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-38559-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370120Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:52.488{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB71438258B247B4CC8A665445F8D930,SHA256=A034127CA81D046E46BD747D7F9E0F69EE8AC1AFAC0F1EB512B037511A1714F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323418Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:53.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF84B26A1551261318DC1A44FBFE0C67,SHA256=7BA0075AA1A47DFC097EE994DA97335A7BC3BB2830BE5FCEAACFA21AF3A26DEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370138Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.785{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000370137Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.785{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000370136Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370135Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}47485456C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370134Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}47485456C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370133Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}4748324C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370132Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}4748324C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370131Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370130Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370129Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370128Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370127Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.753{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370126Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.753{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370125Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.753{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370124Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.753{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370123Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.488{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7A75EF920F2132367AB63DA13762B4,SHA256=E9E5F2C7651E9BA6D3BA035915458EC3CB9B192857D43BFF0530B2C8775D2E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370122Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.285{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B47DC31FA54C829183F173DB4FFCEB5,SHA256=AD346AAEA695C5DAA6BA44D98EA5E3067E6EC1FDA0A755B172460F0222C7E681,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370140Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:52.117{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58863-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370139Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:54.493{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0727EFDABE79F17FC96076AA3492D666,SHA256=5082101BFF70F1FE0A700662DE917FD3180390B138899E4AD4EF61E160AB6A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370142Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:55.493{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC21738817525B8474DFDEFE297AF8E,SHA256=9AD9B3CA1F8DE0159787510F9D971CF71F9168A761C67125E081E921A0E1F886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323419Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:55.025{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2FE94AF2506D8E6ADB1FF551419B1D,SHA256=EBA4BC9A6CB18FF67A7169DB4B594BAF578731BBBD495F57A80AE1462B33D885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370141Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:55.462{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C44CEA17BEE44B9EC30917E808D61E6,SHA256=1D2685414B707798223FE1944E308C9E6CF21160EC3713649D01264AF855D9D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370144Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:56.493{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E463DB1C09B892F82E0A0C5B6E83A9,SHA256=6F9E086B92024735FB953B56B61EA2D7C16CC8BE5184919360E2870651BAA094,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323421Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:53.771{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49971-false10.0.1.12-8000- 23542300x8000000000000000323420Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:56.025{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3F295002A2CF6ACE1E6321DE116D2E,SHA256=7D24F40DC9582FB74E4D721FF9615649487CA22B13F018A0108DF1CFDD51A7B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370143Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:52.622{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-48156-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370147Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:57.790{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53EC6E360709E4CDED3E91B6133FBA42,SHA256=5C2D59223B34F08986AAC0A0C5FFA627D4559F243DD83CA032B457702BDE9FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370146Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:57.509{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B1D4E6A550E30030BF50EEBE2709C7,SHA256=ABDFE0156531C661BA3FF26E6A62AEA3A6ADA90FADB0F71DC2694784AE21E18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323422Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:57.056{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBABEAA87A0032189420486801D0FA4,SHA256=E1ADEFB5DCF6C97C52CD867F2AF8986790767105E1F63100323212873C52466F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370145Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:54.815{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-56463-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370148Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:58.509{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D164B5CF6438970EBAE36909A39CBF4,SHA256=768FAC811F2FC73BD7855B3FC9E660C626A0D1A8EC4092A444538C3B928ECA07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323423Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:58.072{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE4AD82A693C2064A28AB45559573F7,SHA256=C9D9977103B11CFC23F6553236F8BF321CE811F4DD92601D13AA67469F34C759,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370161Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:57.201{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58864-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370160Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:57.030{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-6604-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370159Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.797{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C68C187FD5C56454757E0D7AA4FADC,SHA256=05360579CFE38A26ED749B784FF1525C72FF3E91149AA386D60779D2C32F4B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370158Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.516{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE92505EA25DBD7ACDDBB2091CB34FD,SHA256=D17540FF355BF8623ABD82A120C51DBE4BBC238BD98A745DFA84DA5715118468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323424Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:59.103{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F788146A9436B92F042C6A51E38E49,SHA256=EE6AEBCA57C1F6FF5D73286FBBC93F8044DF51AEF7CD9654C4F23DE30F150329,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370157Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.212{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370156Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.212{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370155Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.212{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370154Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.212{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370153Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.212{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370152Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.212{27B459FE-5C04-619F-AB00-000000000F02}43364368C:\Windows\System32\sihost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370151Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.040{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370150Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.040{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370149Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.040{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000370164Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:00.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59356140556E22F3D707EB166A6A55C,SHA256=FA2A5D63D73F264B8A41428BD2559F4682B9A39BEBAC056155F96129547EDFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370163Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:00.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=25619E51DC1F4003FBF09D9D25E9FF39,SHA256=B91EA7C68C096ADE192F1E6A3D93DF5CC645BE0B7914238A9D5BB68BEFC95DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370162Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:00.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=541E899F62D39CB0515890AC262698B0,SHA256=3135E5257771A2A4D5B65F2DD85FB7CD4B057633132E71E8A9BEA71D89C0DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323426Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:00.108{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B748FC45F15318FF2254B5CC6B00B5,SHA256=66EE99B2526DECE9A5BE7C4C764EA184C247FAA8AD5D359CC03B1ECA66656B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323425Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:00.033{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-018MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370167Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:58.979{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-14328-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370166Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:01.626{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF6DEF9805010629CDC8F3B0E60DC4A7,SHA256=173901A73F7C458209A7256504D74157A80B31821636ED366315410B7F7DB751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370165Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:01.548{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4970A054388E2891B485CBD5163677F,SHA256=BF3DB79EA6200780F5834DA491AD7B62541A58D330CABAFBFE7A0DBE61251FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323428Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:01.122{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F4A597CD81DAEAB3BA87333F09CA3F,SHA256=72689942DD5B6094027835A69A3BB4EB511E387B7CE8C3EA7E209B576CE3BD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323427Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:01.047{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-019MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370169Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:00.874{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-21587-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370168Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:02.563{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DFB6BDD7EFC0E92A7B44CD785F15A8,SHA256=063265A1F58E960C0B5490309EB8DCFB59840D3CA72E8F9463D18D293D54B3A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323430Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:59.776{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49972-false10.0.1.12-8000- 23542300x8000000000000000323429Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:02.125{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044765D67CC3778442D196142D436065,SHA256=5148961EFA8C734AE7E119E4CCC16A955990624928627109E82CF3FE17BDE100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370171Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:03.985{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DD4363546EA93D66CF096905D2B6FE8,SHA256=EE18D1840BF5ED1736886F947DCD2BFCB6D0BAC938D9BBE5400CCE89B762805D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370170Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:03.563{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66477E1F1654BB9DBE381C3CCACBD20,SHA256=C8CEEAFE7B4660D7C218206741083F3BF21F4EA46873D6AD0AE37C64296A2FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323431Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:03.140{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB3A0CB527B66DE80B47CB5DB3CCDC5,SHA256=AD93CB4B5B07056C80948F2DA004C3040E59BAB630B2EA97456E000118878ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370180Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.579{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABE77210EE657FCA6420DF0B29E9C34,SHA256=BE86EFED22B16D05EEB76312362E760D233904B13E2F51DC50EA4C2E8F731F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323432Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:04.187{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3447D034C0CE4C3CA9D7EA80E29E308,SHA256=6C784AD3AF85976B6A9D9F29B90328D5F861CE67D83BE73A6D5E7E3447F6DF07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370179Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F58-619F-5E01-000000000F02}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370178Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370177Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370176Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370175Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370174Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5F58-619F-5E01-000000000F02}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370173Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F58-619F-5E01-000000000F02}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370172Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5F58-619F-5E01-000000000F02}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000370194Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.610{27B459FE-5F59-619F-5F01-000000000F02}59485344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370193Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.596{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E967C705EE740A841B4991BC1574314,SHA256=D4614A1ADB04FE5F98FABBBE2EAC5B71B5A5FD2F2AEB92842D7F29420D03C04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323433Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:05.202{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F3279D6ADE151A5F2CF7A3AACA6D6F,SHA256=B9B92BE790F5676469921A2E4964EEC25E28A477F3C83CBE584D64FD03E72AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370192Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.455{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B179E3F0F175157FA3912927C8F3D4B,SHA256=72A9219B3D7E0F8217DC0328BA936D479286D35630C6DEB7BA66921486D437BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370191Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F59-619F-5F01-000000000F02}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370190Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370189Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370188Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370187Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370186Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5F59-619F-5F01-000000000F02}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370185Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F59-619F-5F01-000000000F02}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370184Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.314{27B459FE-5F59-619F-5F01-000000000F02}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370183Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:02.599{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58866-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370182Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:02.599{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58866-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370181Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:02.286{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58865-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370204Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.611{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26DFAC4AC4556A5B4DECF1AB165C617,SHA256=7D6BB9829539A00B1A237F6FDF3B0BD9DD397E91FAF98BF563CB7A3F8BBC9C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323434Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:06.218{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0DE5F3A337E44A748F12DF529308C5,SHA256=346A1EC6BE30E0AAEE925E9F97A8CD42829D0CF7B5C5AD221F668914BB6A2385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370203Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F5A-619F-6001-000000000F02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370202Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370201Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370200Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370199Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370198Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F5A-619F-6001-000000000F02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370197Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F5A-619F-6001-000000000F02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370196Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5F5A-619F-6001-000000000F02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370195Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:03.227{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-30530-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370206Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:07.829{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD908428E1175DD1244AC39F601CC87,SHA256=683D4D7D7811599AD9BB4EFED9E16975F212EA678E73BA562F85359C880D66E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323436Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:05.793{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49973-false10.0.1.12-8000- 23542300x8000000000000000323435Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:07.249{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689213BEDCE5E42AC4C3406100FC9DD4,SHA256=C80CCBEAC2D20FD94374272B3A0E9D5D19E03508FA3BDD408A69C15FFA409B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370205Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:07.470{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7FE5FB88A6DD11DE79C33A9E0B81012,SHA256=C53880AE258842561C086F0384B026E3C4F20C112AC2FCD9EAC1A4B17DC44926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370217Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.938{27B459FE-5F5C-619F-6101-000000000F02}46405816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370216Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.829{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2FDF8A8497B33B2B54E443E56DAFEAA,SHA256=CAD757BF1D760D0FED23EDCE15DA7D2368A75FDA0145FCA40675D6CCD33F471A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323437Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:08.311{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523536B956B85F6754C62245E1732D76,SHA256=A318828B45301B13401294E8D6D27DDCF0EEE2B77B2682CE82C418FAE12D527C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370215Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F5C-619F-6101-000000000F02}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370214Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370213Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370212Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370211Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370210Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5F5C-619F-6101-000000000F02}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370209Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F5C-619F-6101-000000000F02}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370208Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5F5C-619F-6101-000000000F02}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370207Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.622{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-39462-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370228Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.829{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A542D4371861723723B338C5101E63,SHA256=F34E18337AC0DD62867632E87BAE8530E1B5262E3A40ECAFFFEF05614BB8A534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323438Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:09.327{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1442401CB699CAB33CC5B76B2B7673,SHA256=51693F71ACDE62B4CF131027727F4041EFDDEAD35E3B61B52F4BBB96B1647B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370227Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.548{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1525529742FD70D79E6FB6BF3F64BF19,SHA256=AC63C4CF51F0E6510586AD03EEA3FFFAA93F4207B8FD391640BDB91FD08ABBA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370226Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.376{27B459FE-5F5D-619F-6201-000000000F02}41484668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370225Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F5D-619F-6201-000000000F02}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370224Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370223Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370222Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370221Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370220Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5F5D-619F-6201-000000000F02}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370219Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F5D-619F-6201-000000000F02}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370218Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.096{27B459FE-5F5D-619F-6201-000000000F02}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370238Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.829{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71474FB8C3523B5D8C1E79B99569BD04,SHA256=5A3550BAFDA93C0B4967368A36E633BA2E65513FBAA234F53FC35DBC68A0CC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323439Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:10.327{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877F1F505FB61879B29719ADF838BA72,SHA256=E9F39D95E22AC973A14EDD5287465B15963D52E3AC1FFA938D9FD042C0FF87A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370237Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.407{27B459FE-5F5E-619F-6301-000000000F02}60044652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370236Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F5E-619F-6301-000000000F02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370235Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370234Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370233Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370232Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370231Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F5E-619F-6301-000000000F02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370230Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F5E-619F-6301-000000000F02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370229Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5F5E-619F-6301-000000000F02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370242Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:11.845{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74A84C8CE4D4F3E20E70EC823401DF6,SHA256=56E2496BD23EFF8B87D4FF2C44E257BF4CF6114B0AC362471892050BE9E3992E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323440Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:11.373{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232AEE907FE7F9128050D36DBEBAE094,SHA256=0730B14C678352F562493B3F3FD3557A935D5D7AECC6D24473053AC45A3F0E72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370241Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.083{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58867-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370240Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:07.701{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-47640-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370239Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:11.112{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44003E75FC1A01291F37A606152F1448,SHA256=08B0632CF0B03852A51780E92BC935444505B96BB5E64971D68C77B0E9136527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370252Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.892{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9518A19E1A51F2F7F57AA9FB719F2D60,SHA256=C946DD0FD2F0B6804190536F1A59F2768DF7956F8B9AD6675E4B9D651FBC9FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323441Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:12.451{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77C752BC85EC1A5954706A94C5A9FE3,SHA256=764DDB76CADAF5E69F8CBA0B849A331FD948C54167DB47E22CE7A24847EE81F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370251Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.454{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA37920234D6BD9416084C5741D39373,SHA256=26B21ACB3E411F4E4B0AEC5019294C57B849FFEA9093C6E89F240FD4B5E8F6F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370250Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F60-619F-6401-000000000F02}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370249Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370248Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370247Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370246Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370245Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5F60-619F-6401-000000000F02}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370244Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F60-619F-6401-000000000F02}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370243Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.080{27B459FE-5F60-619F-6401-000000000F02}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000323443Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:10.824{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49974-false10.0.1.12-8000- 23542300x8000000000000000323442Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:13.482{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5191D4769FDB263ED5523E66CDBC6DC4,SHA256=B5E69AF043C65F09A6B0730B7C3AFEE2E48CEFFC7298F56E11B2769A8BA4EA7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370253Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.717{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-55873-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323444Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:14.482{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB43425538992088BCCC7871F209B60,SHA256=20124750D03A7BCE852ACCEB675394A4BFA02C6727EAAF11B0127BFD30E03B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370257Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:14.985{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D14687377A69B458670FB12D47AD2D16,SHA256=E08B50A45B2FD988F63B1B0160701B86D80F43179BBFBBF37F69C5C4BFDE12CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370256Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:14.657{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370255Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:14.329{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5FB836248DB52CCF29D7B97F0624D17C,SHA256=1DF0AB38B60117853AAE1AABFBA25702C794EE8CB4E2FACF35D10BCB18553F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370254Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:14.064{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202138A66E80802BCBE54D8E0F6B7789,SHA256=91408E987AD3275F942904E11EEA548490153133903F1FA609726F268E679DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323445Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:15.498{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7119B5BE71C71009F5B877AD742FAC1,SHA256=77F4BAED93CD7C4A91DCD28F659ED2CE39FD5C82F20109AAA087EAB6FE3C1925,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370259Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.318{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-6427-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370258Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:15.064{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC4B21AE47F387FFE6608B6C98BA706,SHA256=6305D46B9A8EDCF8B7D9F3062082630A5DFE154D2FA4E66CA9BE88F5AD7B11E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323446Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:16.498{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=783D1D0FA940786460F4BA30A3E7A4CF,SHA256=C44C22A0DC7AA583FC4AC5BC5B897F79195D2C1E4A57033E3DC94E879C78A1B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370263Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:13.677{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58869-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000370262Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:13.271{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58868-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370261Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:16.314{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5BB0149B329C132C5713BEAB80CF080,SHA256=EFD1391593A974FB0BB5EECBFD4011CE1ED3DB4F0D82FD273FB816AB69806313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370260Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:16.064{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E77826404D24B85BBA3D8321D9F2B7,SHA256=FA3A9DA94D0FE9EDD584C12767F52BCBE72E220C7D824D88727888F61859AF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323447Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:17.513{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C863DF76D62F23C4D2B48F05223981,SHA256=8BB6686190EBD5C303ED4E647F8786A0F162A5BB90B11F685C5D2DBE173FBD73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370265Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:14.122{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-13654-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370264Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:17.064{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65E7E5FD788D3CADA865E317B18DBF9,SHA256=9196777A2C33F94D544691D1CB12488303C8B8FC756B1267DF17E5AD34AC5D9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323449Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:16.590{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49975-false10.0.1.12-8000- 23542300x8000000000000000323448Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:18.544{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BB7B07BDB97553E7EB70F2F1DEB1E3,SHA256=D9DC4D76334D91AF5667CE03F603938725D17B27A7F9811781A41F88A61EA1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370266Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:18.079{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7271975ECEBAF6F6FC6B92D344D51B2B,SHA256=CEAE19BE495D3B0CC6B0A74750FF0FDF3A1FEAD26EB7180AE67BB1165C2340E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323450Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:19.574{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1711344BD343FD54E3B95EBA10B09A81,SHA256=DB3AFB78D383BC548FC65C08B5CEAE16800796E2CD329140FCADDE496E7947EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370268Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:15.710{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-19961-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370267Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:19.079{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD537882EB2A4B58C2D7E10205DA5A24,SHA256=489904B90D776F9E52E3C0B1B0E6784350B08FF59262453ECA4C8E87AA85C682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323451Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:20.574{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F63FB49545A3F42691E02B55C5C88A,SHA256=4C04AA64AD151056AC3F673B86B958FC7FB106F5D8D49D036069D9A3BD99D8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370271Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:20.981{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF538C73807769E4BDDE43ACBCF2504,SHA256=EE0D7966B7D1AE8186E5F89F3D96B2915BE35C6E22EBED53E7A0BC3863E3C4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370270Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:20.178{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-018MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370269Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:20.082{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA75375EF630F2BBBC32D5FB45CDDF03,SHA256=AA3F950A873E67649F84ACF24C97200544ABBB8853997A9A095A3D59C425B834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323452Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:21.575{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145B8A6138C9DF9DEB8136F1D4C8EDC8,SHA256=5217FF3250C4ECA40A66DE33E1817506C512F01238490A1F54654BAC4B7F5B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370273Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:21.185{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-019MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370272Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:21.106{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EB884BE9AF90BC78721F22A340F634,SHA256=0D2564709BC56F534DDEB9A583306BFBE062565FBE601974B335378AC355BBBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323453Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:22.589{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B829336BB3287C2B4CE8C42516043C,SHA256=4F72C8E0AC90F5F86FB0BCB5D03D96637AD5BE060D53D11FD8931FAA543BF25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370277Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:22.458{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DAB6CF261745F91BFE8396CBBD35B1A,SHA256=41B8BC1C6CDE920C56618A7F7AD2CE17C3315118D4C6557CAD7843B65AD0EB0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370276Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:20.101{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-25305-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000370275Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:19.165{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58870-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370274Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:22.130{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF09D7865AB69341AD0A84A2CAD717C9,SHA256=600839D5F8F5B58C89437D6651C2B379571D7A30FE1A1322B41E94A2244EA662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323454Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:23.589{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719FAC5D792808D35010F4619A18BD1B,SHA256=2C91009847DAF133F17625825B0C59A164B84A205208DEBEE72B87B94C848490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370278Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:23.146{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142ED4D2D2496112F657772D243DDE84,SHA256=39368382310C564E92C864BDC7E9BA743C9F9DC7719D8C4CD4DD65EA68839D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323456Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:24.620{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257032ACDEA211912AA84C5905F10535,SHA256=1F9C95FC689EA4DD4DC27E373E32474FE9B7E187ABE06D701B3BB01B77B22763,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370281Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:21.640{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-31131-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370280Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:24.146{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B45BBE68BBCF7821B3DAD3FBB0D9EB7,SHA256=DB3AF96F24562E6E1BD8A420A4AB2D5FC36ACC74C90D9C193D4CBE61311FC1AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323455Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:21.651{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49976-false10.0.1.12-8000- 23542300x8000000000000000370279Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:24.130{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C985B2526911984D2716525CCE8259F,SHA256=D2140AAD94B6A98607C2AF241F3211A59A8AA6F2E1B0341DD7A2DEF78EACD853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323457Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:25.651{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF18A6D31E5F67BB307A2CCBA5F95B51,SHA256=377D99CC477FE1857097FFD8A646EC0B85D25B611F64ACDDF06077BEEB67F618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370283Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:25.927{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76157CDCE56DC2BFAF3F6AE8E9743687,SHA256=DDDFEFA8AD03256FA391199684525C91B35F2C86DEA9D7274E358D3FD54A2589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370282Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:25.162{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70417888D8D263001F82799157A2F317,SHA256=E72D47FF650F5D0B361EA152D2D256F9159010C05DE6F030E94D689572D53FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323458Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:26.682{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B54D095B2BAF4C88822B312A994232,SHA256=E5855D27528DA2527BA33A6E363BBB5385804B849CF417663D6813C4896B461F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370285Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:23.348{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-39696-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370284Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:26.162{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074EB5A5415D0074F9AEB60C72666DDA,SHA256=865EA8225024B8FCAB86BCD414FB635CEC86144DCE5D438125953AE6E76AEEB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323459Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:27.729{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F937FCFE7FCFCC22ACEAE83E9C760A,SHA256=9FC24B291CFAB36DF2B0CE09636E1EE2CE23C02B7AE6525C8C8D2D8AE1C256D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370288Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:25.118{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-46885-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000370287Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:24.228{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58871-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370286Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:27.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0C81E697EAE6862568E4E2155FA7D1,SHA256=EEA70753914DD698D99A1E9C76D8178F73B38E45F5D86CE5EBE70EC644502E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323460Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:28.776{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C23013A142B7484D8C26DA1468AEEC,SHA256=B279998307C895257B990A221A760AE00D0DC07203A3616573DA5AC7A67F349B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370290Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:28.568{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACEC23A88AB3C17F26FA6137DA9DF5F2,SHA256=D24BF33A2BD4D91C6392A90357058194DCAD98CE81AEA22AFF68E5D10E46DF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370289Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:28.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE6DB78BF581592FBF779E1E3723D52,SHA256=EB954B2F1934C109E9A30DC7711C551AD021BBD918B61AA679EC06A7DD2B3C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323463Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:29.776{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF8C24B655915AAC9528A7CD1229497,SHA256=F78935A123E2BD092288972144364B56A7894C382538DB9231B39D9926D77D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370291Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:29.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E17934BC929EC6A9307B049F0E65B66,SHA256=AE6C4C1BFC4A709ED2FE3CDE1E82F1A35D64AABF04653633B6D3930CF81F3807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323462Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:29.370{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F671F97CF4E1B86EBCC4094C87D8B45C,SHA256=C6EECEB5A310795164789F7F1FE09BDCFBE7E40F84741B0495D390B26E39D7A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323461Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:26.839{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49977-false10.0.1.12-8000- 23542300x8000000000000000323465Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:30.776{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D630EF56AFCC70AB73C7A5916EED4D91,SHA256=43FCD482A9A9F885A747A755AC814F9574C0B9DB039EDD6225A27722B8E332E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370293Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:30.349{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A451B1FAAC2A5E9B8FD84EF952A3C5,SHA256=52D098C333AB6304C9EE8C71361F1F55B6E1AB1F91973294F4162CBCC9E7D6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370292Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:30.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C96CEE2077899C16BA16DDA5CA8F0ED,SHA256=5CD34EF0CAE32740231E98EF889251A837CAC76F59B62FD53855AF3CFAF64456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323464Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:30.213{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323466Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:31.776{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFCDDFD3517541C584AEAEEC602228A,SHA256=95157D590B7AD088F75B99981E547CFC8C3B88EA404EA7BA5F7DA961A49F62AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370298Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:31.755{27B459FE-5AC2-619F-0B00-000000000F02}640680C:\Windows\system32\lsass.exe{27B459FE-5AA4-619F-0100-000000000F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000370297Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:31.755{27B459FE-5AC2-619F-0B00-000000000F02}640680C:\Windows\system32\lsass.exe{27B459FE-5AC1-619F-0A00-000000000F02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25b8a|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370296Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:31.755{27B459FE-5AC2-619F-0B00-000000000F02}640680C:\Windows\system32\lsass.exe{27B459FE-5AC1-619F-0A00-000000000F02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000370295Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:27.756{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-59364-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370294Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:31.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B611E297E3CA6EC78A943810072F3BD,SHA256=0B72F03677B54F7E83059E097FC11793F8F32971285653F63E24D4745EF1FF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323468Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:32.777{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA43F6C17EC70BC8644C1FE1A4E19A3B,SHA256=3BC7A7561008C84E50E07840B026ED9269E996E684BAF656A3F5A946B261D3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370300Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:32.756{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64AC5DA2AC5390A1FCDB6474A9E51A7A,SHA256=7812096786EFC17FF4AC41569DF81B5F63C4DB2FA203AD0210B65BCBD7386599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370299Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:32.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47178E5AB80B2A0FABCCD213DB06BA8D,SHA256=1A3CA73238F0E391F07D7F7A82ED99AFDD964458766E727F23B8AC92EA6976B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323467Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:29.776{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49978-false10.0.1.12-8089- 23542300x8000000000000000323469Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:33.777{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B9BD9E29929EC7013404E4648C1AA6,SHA256=FBB0A3DBA227AC5AE1A7883FC0EB58185F1B85C65448AD2B4912BFF4CE3B0FB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370304Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:30.792{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58873-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000370303Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:30.792{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58873-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000370302Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:30.120{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58872-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370301Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:33.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E3A7DC9D8B28636C101F8F358BDF12,SHA256=D0FB191F920583FA79A1F7A6BA9DD3998D4A8FC0B5234B0C48F0A4EDEAEA31E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323470Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:34.777{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31844FC2452BAEE1A12E3A6178A3485,SHA256=30DEBD42FA3D8D8E1D59CC3898F1DA188C8498C446542F25D877FDD736B19005,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370310Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:31.724{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-10495-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370309Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:34.412{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6D24FF409AF934973AFFA7CC0CC6F1D5,SHA256=8667BB84EE171EF336ED2ABAA82E0B64743A606418B917C65BE042BB073079E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370308Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:34.365{27B459FE-5AC5-619F-1600-000000000F02}12885196C:\Windows\System32\svchost.exe{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370307Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:34.365{27B459FE-5AC5-619F-1600-000000000F02}12885196C:\Windows\System32\svchost.exe{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370306Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:34.318{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A4BDFB5C13AA86A033A1176865DD081,SHA256=5101755428802A30E1C7B1B218F7406C029B4332104B9B1139DC59131A0906B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370305Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:34.193{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19D3195FB9BD1F011482A57E912E3C1,SHA256=1B8B76F619F8448D8B922E3ED19892A01B9A0A8EBCB0FA8D1E0F8C2637998647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323472Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:35.839{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2373E26EF5D72525E335FB15BA6BBCBC,SHA256=515C1AABEF0F76D0EF59A0393220ACA8B81EC9C3C13FE820E31CCC5AD7608A73,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000370323Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000370322Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00131948) 13241300x8000000000000000370321Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1db-0x540950b1) 13241300x8000000000000000370320Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0xb5cdb8b1) 13241300x8000000000000000370319Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ec-0x179220b1) 13241300x8000000000000000370318Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000370317Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00131948) 13241300x8000000000000000370316Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1db-0x53d71458) 13241300x8000000000000000370315Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0xb59b7c58) 13241300x8000000000000000370314Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ec-0x175fe458) 23542300x8000000000000000370313Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:35.615{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C98480F885D64216D2207E7B2B67748F,SHA256=EC2317AC345332CBD2BD494F0A3EA7D5F8D1058455215287EEFF419FE813AC52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370312Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:33.456{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-16858-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370311Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:35.193{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3E86973DE13A208BC6B0BE4C382E57,SHA256=2B4DBCF952D3245A4753E36A5BA343E14A1BDCAAD07319873A0C72C49360FAC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323471Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:32.731{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49979-false10.0.1.12-8000- 23542300x8000000000000000323473Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:36.855{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5733173C8C09B0D4EEDFC6788E28FAEF,SHA256=92AC54F3199CA1637101D84D9C9965C4D86E082766F37979A9F801A2A3D19A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370324Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:36.240{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19125ACE74A169AFAFE6E0EF8A0F11A,SHA256=D6A4677DBC5CDA8CD4D3F05BFAFE175D6A2EC7080442028FAF12ABC0B8FEC7F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323474Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:37.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6B989F8C2A6132A9EDCBFB0DEF40BF,SHA256=8C836F70CD520278723FA8E816971A090D2613DB3083A7A56756D36B52F648FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370326Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:37.474{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28C82A528FFE0AF802040A3DAA07006E,SHA256=04444987E7AE7CCEF55A92EAF561F0E56665E6605C2D4F86A610AFB21E40755C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370325Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:37.240{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28762109A309A91FBFC3A218089D293B,SHA256=B74DD94F37561AEA1A59A3FA6BA3F6AEB898771A2983BFC1828F71903837550B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323475Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:38.917{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295220435756DF0C293CC3814ABA5EED,SHA256=05C04894EEB418C86F45F8BE10ED2111668C168205CDEA7C217035258F24291F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370330Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:38.771{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58A78882256DAF8D1FB70287DDD22987,SHA256=E55ABBCF80A474BF169F6DDA0C1D8A405C442F00809BCD07131B6F35EFC0BB0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370329Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:35.182{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58874-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370328Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:34.815{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-24540-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370327Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:38.240{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896B4E29DF6102893F6623CC391C6783,SHA256=AA5BF12762C6DA66982D089F87ADE03919B3869194B8224ED473E04085D99D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323476Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:39.920{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EBCB26EE5C4EE3C1318B6BBAE3D638,SHA256=1628219D69557F7B0419F45DDFCDFE73A8C5E408A41A9149BAE284D1F70C411C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370332Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:36.605{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-32072-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370331Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:39.240{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D75C4D5B3304E0740116F7C19CA530,SHA256=C2FAB69B7B1AAD9AEB833B4BA9A095AFBA4948D3843A6A6ED2B4D2C1FA33F877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323477Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:40.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67C6091330198BF28B300974605F20E,SHA256=175B047ADB804CE3C41310658AEF0A42FF93B9147301122345F0CB5C573FBE89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370335Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:37.998{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-40339-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370334Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:40.444{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38F7B8D92CBF172242E525A21574F302,SHA256=1F0DF6BA2CCD65DB1902971C592C8E0645B4CB227654F09D21B88867F9BE75F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370333Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:40.241{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD9874ACD442725A39B71542CD4257A,SHA256=08E24F93F4E0304BE90608B25BECF4E7F2D8F4552E9378AC30F830B1C6643CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323479Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:41.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9120BFD22BA59B9929372FA5FD551073,SHA256=413E6A1A8C209E743D718E40D3A51EBF797E9C3EA08794BC35DE05E3AF31F7B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370338Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:39.568{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-47394-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370337Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:41.741{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE847F6191F5533F011DE52B517DDA9B,SHA256=CBDA6E47EDF3BE59117F4080983F216F594D0C4B95350A44BE000A9F400AD37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370336Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:41.257{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAB8285BC572494939E3641FD69C404,SHA256=7DB7BE92077AA209DB04814AD306CC28E1F65079D720AEE1073A4F6BFB3A4559,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323478Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:38.778{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49980-false10.0.1.12-8000- 23542300x8000000000000000323480Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:42.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1337E3BB170D30908C1DC1ABFD64E243,SHA256=0921B9B9753EA8D5D3F2DBB70FFDD21254A1776599BAFB6A2E1A3C05F94E48E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370339Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:42.257{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C076E847D6AFD0236111B30FA2A15F8,SHA256=33DA8AFC19A55F3EF2AFB555E815FB92B009C2CE100CECD013C33B7B347D91F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323494Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A2E232D040837CBAB247CE10C7DBA1,SHA256=C442AA508251B36294BDD8770F72A7AE891838C9630FC119F55C957D55FF4A4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370343Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:40.910{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-54176-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000370342Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:40.182{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58875-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370341Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:43.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D4222B586965C4993660A8FC11A987A,SHA256=6E282C74CCFB8BB01281F29E3B63F4E1A3272A5EC0D10E415E0E64F91AE044CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370340Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:43.288{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512A53B7BA5B8B90A9DA50EF0893E458,SHA256=F7E44423D20EE2801E7497A3695062C493F5A34E4BED2C595C83D6D9DBEBDF8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323493Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F7F-619F-2101-000000001002}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323492Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323491Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323490Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323489Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323488Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323487Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323486Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323485Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323484Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323483Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5F7F-619F-2101-000000001002}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323482Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F7F-619F-2101-000000001002}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323481Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.717{99D2EDAA-5F7F-619F-2101-000000001002}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323510Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F03A16CDB8FC707E27C6AE0F5C8DAA5,SHA256=6EDAF25AFF5B39996A0E0FBCC62F1ECDB87408D65B988DB6DCCED5310CD4B9A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370345Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:44.679{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFBB57CFFE79D1EF74DCB86180CCFA02,SHA256=6534F7AF2BAF75AB819747A5CC1D1BC83BF9369DA6013C8A6F20C56C2E172E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370344Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:44.288{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331259C074E5E64F15DFA89101EE4F7A,SHA256=F435E9DC90E660786C77B3FB71A2781946E6902CEE782DDA6BE6E3FEBFE8EF9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323509Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F80-619F-2201-000000001002}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323508Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323507Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323506Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323505Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323504Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323503Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323502Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323501Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323500Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323499Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5F80-619F-2201-000000001002}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323498Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F80-619F-2201-000000001002}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323497Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.873{99D2EDAA-5F80-619F-2201-000000001002}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323496Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.732{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D03157FADE008C92A2B61286620AAEBF,SHA256=783146C73E7D86CFCE0A4007CA0374F445718C3115A0D8C578C8E510EA7FB188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323495Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.732{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE0A3E3CF8779077C129A10484541C27,SHA256=58A68CD6B3B2F99096F3EC52A75DD43D6D5B3723EE8269142AF8B6AEFA5560F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323514Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:45.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72DDF49343D468135F0E851CF283961,SHA256=B487B05076D2C8E656C199FA48E3A26397CA540C0985E3B8845681CD3A0FCB5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370347Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:42.472{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-1870-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370346Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:45.288{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356DFD7C4647C2FB6BF02AC8C534DCA4,SHA256=78B0507BCFE53A33FD3A9CCDF0B3BB3931756B11F9B96C6A21CAD971651D8016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323513Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:45.888{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D03157FADE008C92A2B61286620AAEBF,SHA256=783146C73E7D86CFCE0A4007CA0374F445718C3115A0D8C578C8E510EA7FB188,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323512Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.828{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49981-false10.0.1.12-8000- 10341000x8000000000000000323511Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:45.060{99D2EDAA-5F80-619F-2201-000000001002}8321600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323528Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC36487CD5721F9703473CF12D96FBF,SHA256=E904D484BFFF7E9ACF9F719913A64C95C52AFAFC00CDA3E4D5C7FEDFFAF923A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370350Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:43.813{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-8172-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370349Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:46.304{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE9FE26B67B27BF25FA087ABB2E37B6,SHA256=C6ABB8AD28BC35F5415DE80FAF64BB7707556736CC5DBFCF50B7F48DE037CE81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323527Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F82-619F-2301-000000001002}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323526Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323525Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323524Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323523Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323522Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323521Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323520Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323519Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323518Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323517Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5F82-619F-2301-000000001002}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323516Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F82-619F-2301-000000001002}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323515Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.045{99D2EDAA-5F82-619F-2301-000000001002}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370348Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:46.241{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E232D5FD7112A0442A2BE632423767F,SHA256=8AEAFDCF661C8B71964257B3A11924D1F00D2C2151AEFDC3A36F8B709BBC93A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370352Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:47.585{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=346D96C0C5539D68606517B14BDA9CD4,SHA256=FC7D43700B44DE1A18DAFA2F793FC4A84B694B341DF8FC130AD4ECD7C2D31453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370351Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:47.304{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E41CBED7DCF09FB5F20C136B7B5AD30,SHA256=C40788CD3160BB6338C197BB0D9FB08FE459A5771217B2D9FE5DB92990697082,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323543Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.669{99D2EDAA-5F83-619F-2401-000000001002}11203604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323542Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F83-619F-2401-000000001002}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323541Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323540Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323539Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323538Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323537Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323536Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323535Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323534Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323533Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323532Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5F83-619F-2401-000000001002}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323531Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F83-619F-2401-000000001002}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323530Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.499{99D2EDAA-5F83-619F-2401-000000001002}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323529Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.044{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7907704E49620FCAF78E9C344EEB5F48,SHA256=A3C0732DF96440D66DA6BD7D8AE0BC647C81AE1A9BA1B83600A739451F63E2CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370355Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:46.089{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58876-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370354Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:45.450{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-14899-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370353Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:48.304{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F43D4BD051E7545D565EAEFB3B6BAE,SHA256=5A1A36B33D5FF2FDBE74E5CC24B9A3D5B6286E0264BAAA8747906CBFA76E6C31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323559Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.779{99D2EDAA-5F84-619F-2501-000000001002}40842612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323558Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F84-619F-2501-000000001002}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323557Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323556Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323555Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323554Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323553Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323552Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323551Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323550Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323549Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323548Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F84-619F-2501-000000001002}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323547Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F84-619F-2501-000000001002}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323546Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.623{99D2EDAA-5F84-619F-2501-000000001002}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323545Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.513{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C556AADE8E7208CC6C89025189F3324,SHA256=C3B683F1D6297AD90780A02D480113D178F443E117AA0E9ADBA1EDB91D0D4592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323544Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.013{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E11309FD688DB9515A52D49FC4438A,SHA256=84B3706F8DBBDA13EB1700E20E99E50A31E53D3CB0638C2C642B917AD9DA543F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370356Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:49.304{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C72894E2B5FC68A821A7A7BD46842FA,SHA256=3DCF63E3130D126E729603CFC6BD5FE5C1D8C2B5BDE53BF725A9193BCD67DAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323575Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.638{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=140C520D380A54665F5C63FF6C7B4995,SHA256=85789603528C6EEF952BE03C1B514B60FB0A77A326F9E7AC4342350364605D27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323574Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.513{99D2EDAA-5F85-619F-2601-000000001002}28563332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323573Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F85-619F-2601-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323572Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323571Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323570Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323569Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323568Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323567Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323566Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323565Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323564Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323563Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5F85-619F-2601-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323562Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F85-619F-2601-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323561Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.373{99D2EDAA-5F85-619F-2601-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323560Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.013{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B929695B817D6438BE7872CD435A5C,SHA256=9116BEAF156741B53A44F3D33B481EA4ED46EB75255EFED9C75986713C957FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370357Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:50.304{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B8EE372ED609174E3D3904DD730358,SHA256=C2EAADE1378197B5957BA5C0B23903494A8ABF23BFE432F7ABE5B6727BA69022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323589Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F86-619F-2701-000000001002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323588Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323587Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323586Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323585Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323584Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323583Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323582Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323581Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323580Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323579Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5F86-619F-2701-000000001002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323578Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F86-619F-2701-000000001002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323577Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5F86-619F-2701-000000001002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323576Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.028{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69F37391B8BDC5F5E950276A8760494,SHA256=B42B622705FB56A92A8DCF7B48BC4C1A59773F778AB17810D1C6D569C18F3021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370358Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:51.320{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568C5F5BB15C7CA2470D2F371EB7206B,SHA256=FA19C069D6500E092793A36009DC57ED9897BE47C23FCAF2617B0EC349FBB6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323591Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:51.512{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C945587EADC9DDE9FC47631E3ED7A5D,SHA256=3384C46559E2C401D0DB08AECC8D42F584482843E411BC46D93D1EFA752FF5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323590Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:51.138{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE436422F221DE946FE469227742CA91,SHA256=FA6CBC8DA4C6EC98316D563CB134489AE44A6705DEA704A818C7EE7ADCBE5083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370361Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:52.398{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7B36C8801A70A353A7D6FA02890CF8E1,SHA256=044E59E09E37D3A849B0C8B3BC59BC2890E32BB3228E5C076D80AE25E344620D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370360Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:52.398{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=25619E51DC1F4003FBF09D9D25E9FF39,SHA256=B91EA7C68C096ADE192F1E6A3D93DF5CC645BE0B7914238A9D5BB68BEFC95DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370359Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:52.335{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A2517DE22F76DF97DADA5704367A55,SHA256=3E6A8173C7FE0BC534C0E4932D9A882691C30CA8D1433B02E5C342165B3B1FEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323593Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.828{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49982-false10.0.1.12-8000- 23542300x8000000000000000323592Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:52.169{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1C3724585E9A63FC82CB9764FD820C,SHA256=2D643D10467676424C5568E1655120B40B93834996FD1E51F8312CA259815DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370364Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:53.555{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7B36C8801A70A353A7D6FA02890CF8E1,SHA256=044E59E09E37D3A849B0C8B3BC59BC2890E32BB3228E5C076D80AE25E344620D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370363Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:53.415{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370362Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:53.368{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8E0A6FFDC5D86940067D01E531F040,SHA256=87010E22A598DC59B961C1323FC212F74EF5A85B4817F7C30F0FED9C456ABD54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323594Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:53.184{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59AEE4AA405A550B7D7C0748D4518B04,SHA256=376A6A3A63237AE6A52C7B9FCB4417FD54F649E3C50F4C17BE60761EB14C94AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323595Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:54.215{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09C90241AF740D8DCBAC4A30F114CB5,SHA256=CE9C43F8A2075603D6152FDBAC32B2A658AAF03C2CECE0904DE88AB555984B9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370367Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:52.060{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58877-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000370366Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:54.446{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370365Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:54.368{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23464A6EB16F1A5B0E8925930283A8E7,SHA256=BE001567A1060FDCC1A512E28153AD88BE539C6E73432E028EAACB79DE048996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370368Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:55.384{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C7DD78A24FE93D6E6C809591634E80,SHA256=970BD702E333BEC4356B597C6555D30AF954430B0B84AF15FCDB1E1B691DE2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323596Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:55.215{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D89E2F6AF0182F661B7E859664CA02,SHA256=4177081E74BB25DE261D3F33A64ED2C56041BDF8393FFA2CAD5AB2C093182FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370369Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:56.384{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62565544E356903ABD9875EFB10E5E52,SHA256=F8645342FD009853DCDB91C7DEF8036FD17DC0B9D9F37BE3C2B1937AA6FDB8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323597Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:56.215{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC42DF0C8C66BBC1876917CB6B1FE3A8,SHA256=731D0520233D1E05FAD020919F7A5BF090575C5CCFF5CE93CE81BE083D2DB6C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370370Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:57.384{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F751093C7DA2F1767E6B1B16176B86BD,SHA256=F9A5A30BB57C69512EAFAA1A37454EFA8E8ABB4E2F6C7775A45ADD98CECA7DDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323599Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:55.781{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49983-false10.0.1.12-8000- 23542300x8000000000000000323598Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:57.215{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D17E58B9AE42538D9C298152A13E977,SHA256=457206766167BD2C57F1BCBB28DDA5A72B3FF003C2AD10812676F63019A877E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323600Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:58.231{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA4B3B55D2F9B069FF759FDC9EA5F23,SHA256=5BC58A499EF003EBAD2F3F5DC3EE6A62CA681F4529EAC67744ED574748167B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370371Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:58.384{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C70018C268871E859B1BC8B5E12CFE,SHA256=826D6675D516F9533C4096FBB4766D7FE29ECB2BBF251771A6B7CDB356239DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323601Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:59.231{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6E4C9FB7AE76D924C1B6C4562FAD24,SHA256=7EA6D61C3891C81165E8D92FAE7484E92282C1ED27506F04B07982E8C6B29DC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370373Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:57.122{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58878-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370372Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:59.384{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3C6FBE3559C603A57A1EFAF1F84194,SHA256=BD97070657704AC361567828829B02631C48F3B075C5315BC87687487718FE65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370374Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:00.403{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AD1332F427287C7E2C35621819A518,SHA256=01AA78A020CB4CD401B81424B1764CD9311BA5ACB0B94B1BED09C8CE4834F66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323602Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:00.283{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31761221806B066BECD2599690174429,SHA256=32FD80D078148228BC0A6E22697D81AE9DEA65CB2AA9EBE07F68B35B4E879D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370375Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:01.434{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F195015518580A3BFA34648B0C6CF2B,SHA256=E773FA7CA41BD2C78DDC4CF65CB44269646CC44393B0E176DF37CE22A4AC2138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323604Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:01.567{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-019MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323603Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:01.298{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC3A6B7F9CB446C59D5A3AA09AC2DC3,SHA256=32F80E99A2C9939B7597C288E56E9F4CF2575D9E208C050E625402305BAAE024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370376Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:02.450{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6011F189F704363C5B6CA1FC96B3E6DC,SHA256=D7DC4A4142F7DD1782B5F39642787F5B13A49970DC87C340519F502EC629F3A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323606Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:02.580{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-020MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323605Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:02.329{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBC3519478C7286A166951B340DA459,SHA256=6DDBE066BB160ECCCA595C1077B4A4102E38E37CA13B5C80FA5A4CD40BDCA7C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323608Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:03.361{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2670FCD3ADB20058390727955B6567,SHA256=C17128010701C8162B36362A53DEDBA87DA2C17DCB2C548BDD7D794AF74FC6B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370377Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:03.559{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BF0A72CD43DDBCEFFDC5957B5C3B6C,SHA256=AF897F9EA42CA86661382FCFE03CF13B90075901E59CD2B865D36FC957C3A816,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323607Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:00.817{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49984-false10.0.1.12-8000- 23542300x8000000000000000323609Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:04.408{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0063BE0E21E44830D3C0291C37EC7DC3,SHA256=678509958D5BF8DFC06B2E347AEFC97C3CCFBAE71FE3FFBC0456B09F9F9611FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370388Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.575{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC0D37C5DBFF5089E266FC75929ADEF,SHA256=22F196D26DBC652366021AB6DC3B24BF540B1E369E0B2E37E9027510095F5FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370387Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.575{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F942E66594ADEEAE395E0825C9B82C0,SHA256=D3A014D9FB28DD90513569BF1579B78E5F10408B1257C0FD46F3D35517727A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370386Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.575{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A2CC0F0583CB9217DC2DFC0BECB1AFA,SHA256=A9B72765AE465A48C28F8E0DB8F281ECA6CF34DECA0F0B27552865053A545B17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370385Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F94-619F-6501-000000000F02}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370384Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370383Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370382Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370381Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370380Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F94-619F-6501-000000000F02}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370379Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F94-619F-6501-000000000F02}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370378Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5F94-619F-6501-000000000F02}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370401Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.575{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA7753B019D75940561D78AF0E42899,SHA256=3A38E496AF4F7F4595A1AEEEB1E82BEDEBB5B36ABD1CC25EE24B7641746EDB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323610Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:05.454{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62774E1A2709F17A17DB6F784EF95FD1,SHA256=5F4D48096D03B5878F5E616F1F26F986D3D0E6F5AF88CED294A53F41C77584F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370400Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.544{27B459FE-5F95-619F-6601-000000000F02}18805488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370399Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F95-619F-6601-000000000F02}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370398Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370397Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370396Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370395Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5F95-619F-6601-000000000F02}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370394Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370393Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F95-619F-6601-000000000F02}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370392Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.326{27B459FE-5F95-619F-6601-000000000F02}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370391Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:02.610{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58880-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370390Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:02.610{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58880-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370389Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:02.172{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58879-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000370414Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:04:06.606{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\583610C9-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_583610C9-0000-0000-0000-100000000000.XML 13241300x8000000000000000370413Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:04:06.591{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A6F3BE35-2816-4299-8BAC-44B9E4617F8F\Config SourceDWORD (0x00000001) 13241300x8000000000000000370412Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:04:06.591{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A6F3BE35-2816-4299-8BAC-44B9E4617F8F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A6F3BE35-2816-4299-8BAC-44B9E4617F8F.XML 23542300x8000000000000000370411Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.575{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C15ED95FB63931AF02FBD2A283EF14,SHA256=A64716FFFFDEEC466A0EDBC43A7CD7146A15A50B9A9A85BE0552962D5F1B178D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323611Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:06.470{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E105EA09EA2A17C9EB03F187FDC5C6BD,SHA256=711D9D03058564BCB16EFCEC25C4025CA40265813E105EE6F870BD9D7E5ED71D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370410Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F96-619F-6701-000000000F02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370409Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370408Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370407Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370406Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370405Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F96-619F-6701-000000000F02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370404Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F96-619F-6701-000000000F02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370403Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5F96-619F-6701-000000000F02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370402Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.403{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F942E66594ADEEAE395E0825C9B82C0,SHA256=D3A014D9FB28DD90513569BF1579B78E5F10408B1257C0FD46F3D35517727A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370416Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:07.606{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C3A7DE9524D44A28EBE812998D968D,SHA256=F0E06744C10F5F9E143833AF91F7FBAAA44AD05EAEA51AE5E5E421FB40E934B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323612Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:07.486{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0560A3C91FD1AE9BCFDF3F6BDFD11D7,SHA256=A898B229A77858CEAAC1B5698A76B90134EF6183955D755E811A91999E485C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370415Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:07.466{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86CF8BC5EB1EE32B7C4B9E1F92780ABE,SHA256=D62A5D349A8D77FB9C0EA7283F4107229DCD5331257D6D460E8DCFF43698226D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370432Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.872{27B459FE-5F98-619F-6801-000000000F02}49605376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000370431Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.677{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58883-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000370430Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.676{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58883-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 23542300x8000000000000000370429Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.622{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BF069051FC6875C4910F6E26CE6A1F,SHA256=43B5CD27B9BF368C9C41249575AA6785C5201CC90D8924398E637C2B29A165F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323613Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:08.486{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0286B78129C6BDF35E7FC8B4F00438B,SHA256=5847EAD59225CD1CEFD4ABA316C460454B511A3386D17E7ADB1DB35DB1764E69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370428Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F98-619F-6801-000000000F02}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370427Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370426Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370425Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370424Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370423Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5F98-619F-6801-000000000F02}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370422Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F98-619F-6801-000000000F02}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370421Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.545{27B459FE-5F98-619F-6801-000000000F02}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370420Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.643{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58882-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000370419Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.643{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58882-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000370418Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.615{27B459FE-5AC4-619F-0D00-000000000F02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58881-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local135epmap 354300x8000000000000000370417Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.615{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58881-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local135epmap 23542300x8000000000000000370443Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9124B3C9B89C7F6743FAFF18656D2A,SHA256=38B400654783A6EF6FEBCE6A8FFE700F4FE5162621D2373D0001F94C10CC807F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323615Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:09.485{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB5A4ED82F4C31D49C7E7480B6A20BD,SHA256=8410AB11ED91C966B37B6949724871AFB6B986E721C2F3F569BE472602C58399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370442Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.591{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2C132C45B000ECBBACFAB5E35C89A22,SHA256=839EBB4556D7F7FBFD20A2C47D99247C9824F7998B64762FC7B56CBE562A16B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370441Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.356{27B459FE-5F99-619F-6901-000000000F02}52164984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370440Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F99-619F-6901-000000000F02}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370439Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370438Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370437Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370436Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370435Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5F99-619F-6901-000000000F02}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370434Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F99-619F-6901-000000000F02}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370433Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.060{27B459FE-5F99-619F-6901-000000000F02}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000323614Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:06.741{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49985-false10.0.1.12-8000- 23542300x8000000000000000323616Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:10.486{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B81BF0B24C42ABD6596947CD3CCCC01,SHA256=A0154DE8309E012C39FF35ED1BF4E698DA6C0579FB789C8821ACA2B2C3E1E5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370453Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D60F643C65EF1AB326858D495A3706E,SHA256=F677B40F64F31404FF7F1AFFFA7170C462D5E9925500CB87CD74D1754AFB1DF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370452Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.294{27B459FE-5F9A-619F-6A01-000000000F02}56964820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370451Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F9A-619F-6A01-000000000F02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370450Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370449Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370448Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370447Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370446Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F9A-619F-6A01-000000000F02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370445Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F9A-619F-6A01-000000000F02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370444Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.046{27B459FE-5F9A-619F-6A01-000000000F02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323617Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:11.517{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0B5710B7ACA17CDECB6DC3E0DE9720,SHA256=EF58490E01761DA65E9434E64C2718A18C5414F779C3EF6744027055A8EE362B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370456Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.172{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58884-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370455Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:11.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C9BF56D94985FA9356C09A4C82C23B,SHA256=2F253DF7332CF119529A1672149312DBF06F554012C1EEC1C5CECB76262BA060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370454Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:11.060{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EB3BB7F15D8F95AEC6170A7CAEE6482,SHA256=0A9C992B06C75E2189D1AD3D567417210FBF6FA18D57B4ECADC115766EBFB34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323618Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:12.517{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89020611F9684877CFEAAD6E309E6763,SHA256=D823B5EA113112642473022AB7F5602352F8E5705DA84301E762F89735CF2432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370465Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B77AC70B875430889F885EF9D365B95,SHA256=243D19220FF1EC80A6FBEC81935AC08841BB8E190CD9AB198831EAA4788AE123,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370464Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F9C-619F-6B01-000000000F02}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370463Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370462Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370461Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370460Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370459Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5F9C-619F-6B01-000000000F02}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370458Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F9C-619F-6B01-000000000F02}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370457Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.092{27B459FE-5F9C-619F-6B01-000000000F02}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370467Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:13.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B716EC989CA36ABAF155FD3A912F12B1,SHA256=A333DCE0C90551A3078A6013DD9BC9FEF163E0D0AF1EB402CC78DF359E259DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323619Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:13.563{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A0C619FD45AC116376F314EEB1DE3B,SHA256=D17F265D84A99E308ED0C09A4060CCDBA3CDB4E7008422E94623D94F55BB50A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370466Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:13.091{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30E3A8855ABE184B6A15CC88E49DF9CD,SHA256=04E769400CEF181EF1C6D6AF81301ADEF268C20DBA4B2D01D42853C299B483DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370469Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.685{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370468Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.669{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006BEE42624C41AF6BB696948714C2FE,SHA256=045188504057227FAEE35FD342B58C2FF715202B026791EA2368E576921EBC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323620Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:14.579{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7895B875D7BDEF43D5E00FA9C3BACA0,SHA256=282E2D0631BE79DD8C13A1CBCB4B60A289177E97E5C0547EF3620F71780F3B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323622Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:15.626{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDDD503B82B9CB8C1791D6DF5FE7D70,SHA256=C2177B0B539F188BAB4B838CC25FBC705F5725E9E635AE8FB0BBEADFC0B2D724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370471Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:15.685{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65198DA674305BEE5A70BB7FD6139529,SHA256=DB49A1BBF6EBC3A7EA41D02A65EC87F01747855B01E0142F1871ED34B120611B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370470Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:15.278{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-5AA4-619F-0100-000000000F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000323621Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:12.787{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49986-false10.0.1.12-8000- 23542300x8000000000000000323623Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:16.673{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E3F15995E8575DB63088BFBBCFA25A,SHA256=A14A8E27A7FEB28F62495D9DE824D20FD7A5CC1F349563D3A815D2922EAB9E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370479Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:16.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95054E3AF177D1511494A89D42C3017F,SHA256=27DAF62E7D1947045536241F73EEEE1949E19E909495089DCFE75C1B31C2948B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370478Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.218{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-266.attackrange.local58888-false10.0.1.14win-dc-266.attackrange.local389ldap 354300x8000000000000000370477Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.218{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58888-false10.0.1.14win-dc-266.attackrange.local389ldap 354300x8000000000000000370476Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.207{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58887-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000370475Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.207{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58887-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 23542300x8000000000000000370474Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:16.294{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F397ACBC53661EF2A51E626CEE1BA204,SHA256=F994400CF8B2B0D5618C62C890E10B85FF2389B52A79FEB8D432990E2DE90DB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370473Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.094{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58886-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370472Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:13.703{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58885-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000370482Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:17.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CE6E7DE194BFF4DCA67C14F9D8B4EF,SHA256=2106520D76FE86F13F5E7DBA78063C7AC5B76D65709ABA7BD411A2DD9510BF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323624Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:17.688{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BB0C1B7F5D1CC903E7DDEEBDAFFE38,SHA256=D69EE47263599CF89437E184AD17E1F1C1D6534D838064FA23A0A6EF7FA40FCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370481Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.317{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58889-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000370480Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.317{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58889-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 23542300x8000000000000000370483Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:18.935{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E9E7574E45ED02FCB3EFE46034125B,SHA256=EE72DEEEAEA76D60F718F66FAE89FC6440170C1FDB8FCDE40B86B42085E7AEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323625Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:18.688{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EE1BE15E0010FAF6B3FA4E4FF5707F,SHA256=9D5967C0D26281410FD5B5EA44B26647DCA903EE79DC70E5A4C5BD3E3EEC2807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370484Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:19.960{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0A5866DE151FC94E1BA15A4559E168,SHA256=594FAE72E8614ABCB879E80D783E389F2674764EC4C82D8C8C596BE2D42072E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323626Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:19.697{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D51737131ABC7013FD8326F4024656,SHA256=077698D37A995BBCC69AB496258F606EE85C8A077463C71367B65D759EB18DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370485Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:20.975{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB19D4D279062508FB47FF2D46024B9,SHA256=88F6D3E82998C99C76239F98D5661951255E9EF87728415CB5C271893A454FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323628Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:20.728{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95947D526238F9AECCCD5C33C91254CC,SHA256=13BC2A9FA16C054028B04915D92CE117FE08B4DEFF9434E9B536FE9AB3194E6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323627Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:18.584{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49987-false10.0.1.12-8000- 23542300x8000000000000000370487Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:21.977{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD1906FA107A867BC15FA05A17C7C6F,SHA256=6F35FADAD051E3EA83F2F050A7A73536B523D865F496876CEFE87D3906022D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323629Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:21.744{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2A0292D56475A3C02F7068859F59D6,SHA256=B1ACB1A5CE2620EA3CDB4B90DAA08F27A3B6D671ABF7D2B470AB316CB7EADE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370486Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:21.697{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-019MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370490Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:22.991{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729BFE32BF5F7166ADB4BC0163F0A4E7,SHA256=C6C2241F892479932EFF557B7E710F8590BBA2E62371DB64AEB020FAC39CE3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323630Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:22.744{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEFF1CE0522F6443E4664F57CE23727,SHA256=58C282BEC64932F7A10620EFBBC8CB47CAE0CB2C70384B36E15F74DAAE600728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370489Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:22.697{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-020MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370488Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:19.291{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58890-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323631Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:23.775{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E9C8EB80EE2DE5EAAEC87084A97066,SHA256=B07B3A91F70F22353D02AB5DC70408AF7EEB43B5AE6327F1A3CC48ED17105AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323632Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:24.775{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71413CA8F37D858B584388FDC9611160,SHA256=A56FDA138BDBC8BDAAA252F67CA3DFE40A54C646BA340B2EE231025BCA096E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370491Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:23.997{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877C9F3D748424995BABB45FEB8F78D1,SHA256=DD898F2CC57ADC161BB1156B25D184FABB5FAD41A8111AFAC4D9BE34AF9F7E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323633Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:25.775{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EADADF04F0F8C475C0ED0779F3408CE,SHA256=AC3D7EE414A58E6B5DEBA99A1626C6818E5C7CCAB9418167FFA315A5E15CE338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370492Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:25.012{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C0A748CF93A2D1CD7400692B5838CE,SHA256=6F4D04653D35195AD2EACD5B9AF1364F2518B1F3ED342AD4A4E82E6C97BA077F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323635Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:26.790{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAFA3E7B156D5656D013EFCD8D1FED7B,SHA256=452F1C731B227BB345E637EDB604950F40448378543465AD9EF85D24C15EFF48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370493Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:26.028{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0461375A8E1F81749CA6EC6F160739,SHA256=93D17725C35CDD34281C5505C9BDAE501EED541AE16F413A83F506A3C34E7351,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323634Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:23.655{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49988-false10.0.1.12-8000- 23542300x8000000000000000323636Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:27.790{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12174B3606D8A14B3E122AA1F31AF33,SHA256=1075599244118ED490B69E846398DF4278EF243753EA4C62103484991E38875D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370497Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:25.109{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58891-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370496Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:27.028{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7948EEE145EEB184E197E7BBF5D0B9EB,SHA256=E92EA7334FC5019F5D68D837ABEB5DAE5749E67E362C570C598A387320F94C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370495Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:27.028{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=843D623DBD8EC339FA347A079142FFE4,SHA256=F1DC3DDEC04BA25AA54687F9B99BA62454EBEA2905CEA48AA643A85ADE9A1865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370494Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:27.028{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB162C1335B51025A6A3F4C093046B5,SHA256=CC033E0DB9BFC45C6BB24AD23FF5B8E0B915B857AB78AD9BD030B43C61C07E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323637Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:28.806{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBEE9848874C360B51E287083F7E882,SHA256=81355977F0EC6DBBAB2917673535706A22D9E1CDDBD43D0AF911BD1040C8C8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370498Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:28.044{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFD43EA6CDE8D9B793684E5D6239E5E,SHA256=1C4B471BED5E8EC50EFDD7236782F6BD3914512ADEAC243E344CB848E8E5C179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323639Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:29.806{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC546EE6C60E2044C24089C8A61FE132,SHA256=BC4E6C55257BA9C45D0AB3B7F6D94D533D8CF6C9608250B8A4D3048EF0CA60C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370499Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:29.091{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBFD4887E6C0796E2A7C15295F200EE,SHA256=F0145E3A49992029AA77496A535D3205816D8A839ED3A1FF11F94D4FA41CAC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323638Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:29.368{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2015C311EBD9AE938E94FD94B24B04C2,SHA256=AC97DD138CB826E6AEC60FBC881D88406E4DF310F0586D219C1B065BB9C64A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323642Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:30.806{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6187A64C26A47165503EC8B4D2EE7A50,SHA256=FC9915D6711F781559F5AB0404819B45D1B8FE06E563722E5718786FCE34C2F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370500Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:30.122{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BA6BEC20C9C420B121F610EFACDE2D,SHA256=F4BA4632104064D6C01520C0309B5BBC39582915F26E17F058114DC3F8D2C369,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323641Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:28.780{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49989-false10.0.1.12-8000- 23542300x8000000000000000323640Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:30.228{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323644Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:31.821{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DF140A3055EEA704A8D59B1B7CB0F2,SHA256=B2F6B410D2251D8D62C382166E4C22F58F6623AD86C98BB61879DB591D08921A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370501Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:31.138{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BD7797EAA78187F3833D805025B3DA,SHA256=0C29A48DE2F4E54A9C0681EE3058AAA57C00872C0E0CD13C44003E31FEB55B85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323643Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:29.796{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49990-false10.0.1.12-8089- 23542300x8000000000000000323645Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:32.837{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C68345165858E2714097C4759BB83AE,SHA256=09313E4EE0887F34C735ED94E39B3CE094B968707A561EA643EF445CC8A53054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370502Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:32.138{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A36AA074EE6E495AC5EB7457DA4181,SHA256=0506AFAA56AF12F3775759A7E89E1383E622278BB5B7126BD637E52E48713136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323646Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:33.837{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E375B2B4207DA44B6131E6F6379AFF,SHA256=A797DF3447F22DEAB7DB733DAE0B5D3C5ED993B40C6F8D88180AF3D6222B2099,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370504Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:30.265{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58892-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370503Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:33.138{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A69EA8AEC657F6D8A38ACA591A0689,SHA256=13CBC6E01DC42C868BE73A385373CA81A48B4A0918E53EB68AEECCEB5E9FE019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323647Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:34.837{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE6480095556EA58EBEADB00CF9DFE3,SHA256=A69D2F4EC9FF1CE87941957687A4277C81E2C9F131CA096A80A3D53E3ADD9FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370506Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:34.419{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=77EC5FEA1151FBA567AC88042A0F948C,SHA256=929FBF918B10B08AA9B835082859B01D25FB94B85D67F2D7651A8B3227E3CF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370505Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:34.169{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1453CA6810D7343E4804CB6D9EC7B210,SHA256=420961BCF9AF20B64CC9F71A2F292D0699A7276225C380EFA3B5A33B160C7A6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323649Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:35.853{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7001C2B2FF61C6D70CD5D40E048C9CFE,SHA256=F3B4FE0521BD268729E00CAF41DC221B7517044103D897FFA9EBA5144DA9B3D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370512Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:32.945{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53191-false10.0.1.14win-dc-266.attackrange.local53domain 354300x8000000000000000370511Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:32.945{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53domainfalse10.0.1.14win-dc-266.attackrange.local53191- 354300x8000000000000000370510Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:32.945{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c870:f0d9:7a6:ffff-53191-truea00:10e:0:0:0:0:0:0win-dc-266.attackrange.local53domain 354300x8000000000000000370509Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:32.944{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55010- 354300x8000000000000000370508Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:32.944{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55010-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domain 23542300x8000000000000000370507Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:35.169{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3459125E751640209D137C34605356D,SHA256=6D670C7D39C1423F55A3C9F47CD292DB3E4E64D9ED594F5E6097370DAC952EE1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000323648Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:35.478{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0xd99230fe) 23542300x8000000000000000323651Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:36.852{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD95F497E7DCEE45BFD62BB0A5A011B,SHA256=074F8502BBADC2C2C64A897291CB99D49B75010D346CC560AA9758B8F9969553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370513Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:36.185{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A031CD4144580CE397337984368455C,SHA256=F871C1FA4F9355E7DAF16FE5125C2853B9EAA8BC1A4A5C74BC42A725DDEEDFE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323650Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:34.749{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49991-false10.0.1.12-8000- 23542300x8000000000000000323652Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:37.868{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD8C4E1E170136296B319114A860BBD,SHA256=84CDD9708E947DE284F7824C82DF165CBAB2893E5967FDFB03BAC95907505F25,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000370515Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:04:37.263{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0xdaa2a445) 23542300x8000000000000000370514Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:37.200{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFE23C46CEA8BBC1688EC15F32C4883,SHA256=F5C9CA31034D7BDB3FC638E011081AFB4E9C1695553E1C0112943A3ABA19A363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323653Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:38.868{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520F5115FBEB5569F1AC7A374036254E,SHA256=880A40A45092D542190FB108DE89B61A0572AE0401E66D7DD326CDCAA0841C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370517Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:35.281{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58893-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370516Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:38.232{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36214FB790DDE10D511B82B6FC1F5099,SHA256=4C5A9D96193734C5B797A57A263EC1658F7B415CAC44DB6A98446944CDEA6F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323654Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:39.873{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17222AC8AE398192EAF3BAE8A9748456,SHA256=AF64C2CCC0E20A8D96BF35DA79A1A6FF1F545612714E459DC3D23F92E8640AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370518Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:39.247{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934ED92CC7CD4B29ECD8A954BFBCF169,SHA256=474DE6CA75042FACAAF86A2E37DB94A3FB2D4FFD1199FEE84A24303F0BD068A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323665Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:40.889{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E459043EEED077594E5A78E836461B,SHA256=76CC54FCA440A171FBC053FDB681F5E1D3A9259819EAA2B9A0D7603E0D439D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370519Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:40.262{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2D1C55097D57436DC713248FADC734,SHA256=E2E5F34A84340C9C84E24B2DCDD454FDED44B03697C0A2E1A7BDE4C3B3D563EF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000323664Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000323663Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00141d0c) 13241300x8000000000000000323662Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1db-0x7ab4f041) 13241300x8000000000000000323661Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0xdc795841) 13241300x8000000000000000323660Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ec-0x3e3dc041) 13241300x8000000000000000323659Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000323658Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00141d0c) 13241300x8000000000000000323657Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1db-0x7ab4f041) 13241300x8000000000000000323656Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0xdc795841) 13241300x8000000000000000323655Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ec-0x3e3dc041) 23542300x8000000000000000323666Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:41.889{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB307669CE1CAA092239D8C2F0B5D3EA,SHA256=1C3B745DD8CE794E48DA0C1CA0F48493904E1063FC1ED7ECC6A85DAC5693A6B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370554Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370553Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370552Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370551Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370550Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370549Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370548Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370547Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370546Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370545Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370544Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370543Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370542Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370541Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370540Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370539Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370538Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370537Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370536Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370535Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370534Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370533Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370532Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370531Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370530Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370529Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370528Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370527Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370526Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370525Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370524Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370523Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370522Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370521Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370520Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.262{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1F2FBB1D0BA3B36910CB51CD41880D,SHA256=146C15668D3CE01A5C8021FEECC23E0C050BA8BE6F484750E194CC6D7155613A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323668Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:42.888{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC91A6FDE790BD066FA4F52E224B855,SHA256=BA4AB64ACD9E397A6E4005378268E6DCB899E76E97ED96AAA92203FB22CEA1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370555Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:42.699{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0210A7C2074020523F7B796E38E593,SHA256=50B854319296347659D6B27386D7EE1BE66EBFE8DE5BA0AEA33BFF38306A91BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323667Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:39.832{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49992-false10.0.1.12-8000- 23542300x8000000000000000323682Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.904{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57704E293C5248B3FA252DF76758AE8E,SHA256=FD89372DEA221998DC5708AB271E8D65FDA60E91CA243FEF455BEDEE52B17B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370557Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:43.715{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B938CE329302FF45131DD3652948FB2,SHA256=0BEFB9691905915CE9D96615B91FB69BDB044D52B4F4CB9E2350E593E383EE4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323681Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FBB-619F-2801-000000001002}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323680Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323679Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323678Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323677Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323676Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323675Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323674Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323673Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323672Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323671Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5FBB-619F-2801-000000001002}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323670Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FBB-619F-2801-000000001002}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323669Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.733{99D2EDAA-5FBB-619F-2801-000000001002}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370556Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.093{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58894-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323698Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8567A85BA955648537BD11CABE875FA3,SHA256=F6A4561E982BC6C29D1B9F61F827692DE46698B7C671B69A50A0F78ED33C1C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323697Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C8301360E4C63C1C4AFACCBE4236DD7,SHA256=80A97959D00EAB42929FDF2D21567B332094C7DB2EFDA99F8C110D7817B80E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323696Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E306BE2AE89FBECE74902DCCCB5DA9D,SHA256=6D07E6921C906EA2674B04B49A2239540E34384546B3A472D5941D4B63F52F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370558Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:44.715{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE17E776EA0B49AF9B7511470BCF790,SHA256=ABEFC4543EAE82FF41409006635714DFDCB28F629DA5D9F13193CEF48C4EBE0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323695Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FBC-619F-2901-000000001002}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323694Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323693Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323692Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323691Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323690Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323689Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323688Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323687Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323686Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323685Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5FBC-619F-2901-000000001002}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323684Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FBC-619F-2901-000000001002}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323683Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.874{99D2EDAA-5FBC-619F-2901-000000001002}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323700Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:45.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F938D45FD310A3B336DE6706EC51C8F6,SHA256=2E6F7C82D3EFD3DBEDE6ED6E75623D14EC9998F2B571E03AAAD66469145C6A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370559Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:45.731{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3EEC808A992B06648289FD802F7F75,SHA256=709BA971007E27EB21C0A10D6BDF2523EFAA36B15111B9DC0904092E2173B354,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323699Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:45.045{99D2EDAA-5FBC-619F-2901-000000001002}1916656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323714Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3FA4DE09CC5F9FA4A8982079AA714F,SHA256=5A708B238F64B41106ACF0F1683DA9F14C386F4DE803EA2A857E3E6BEB178736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370560Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:46.731{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99FE54F40D18F23214497A0F134A6D6,SHA256=5AE445F378013388BDB9A48B5B79CC84AE995214DC12904856BD2AEDEC61468D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323713Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FBE-619F-2A01-000000001002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323712Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323711Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323710Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323709Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323708Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323707Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323706Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323705Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323704Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323703Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5FBE-619F-2A01-000000001002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323702Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FBE-619F-2A01-000000001002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323701Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5FBE-619F-2A01-000000001002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370561Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:47.747{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD427D4A16AD85D84DFD64E98EC09190,SHA256=86E266374905DEBD5A8134828B395677E656D2933A54AF6EEFAE158C49B5A043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323731Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD000675C0D711E4EABB21C9BB20E1B,SHA256=5E5C7D89ACFDDBDCC4E2ABBBA949D5E3A9CFFD18F03FC83A2E2ABE965BC8D4CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323730Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:45.629{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49993-false10.0.1.12-8000- 10341000x8000000000000000323729Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.638{99D2EDAA-5FBF-619F-2B01-000000001002}10481640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323728Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FBF-619F-2B01-000000001002}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323727Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323726Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323725Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323724Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323723Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323722Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323721Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323720Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323719Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323718Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5FBF-619F-2B01-000000001002}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323717Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FBF-619F-2B01-000000001002}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323716Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5FBF-619F-2B01-000000001002}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323715Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.060{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8567A85BA955648537BD11CABE875FA3,SHA256=F6A4561E982BC6C29D1B9F61F827692DE46698B7C671B69A50A0F78ED33C1C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370563Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:48.762{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA27226D2CAC1E895978372DCF142A75,SHA256=CCC77749E18756FE9E5E8B1F1100C05CE07E6E32EA3B34707D2CE692131A7616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323747Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D339872D9F77FFB45840E07A92E1104B,SHA256=3BF840581898C2615738AF5BF4735D4E7FADCB017B8FFB1D509CE45D947FB989,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370562Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:46.186{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58895-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000323746Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.779{99D2EDAA-5FC0-619F-2C01-000000001002}12841088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323745Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.718{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9715890EF57420ABE060E8D4500EFAC6,SHA256=16B061886DA78C4D0C789CCDC3CE268324BBC3CF3554C46EF7485EC91E850251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323744Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FC0-619F-2C01-000000001002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323743Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323742Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323741Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323740Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323739Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323738Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323737Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323736Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323735Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323734Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5FC0-619F-2C01-000000001002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323733Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FC0-619F-2C01-000000001002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323732Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5FC0-619F-2C01-000000001002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323762Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E96C08E422BFA32B049DB2F6EACDF7A,SHA256=84AD3DF5D65147F223FB63B3F50518EAD56FBF8AE714F2234DC4A7D960BA9170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370564Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:49.793{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A2A90F03691674A92C6640A73DC511,SHA256=962E4539ACCC1959F6A38EF5BC502EE51058E0565B7BF32A216E5351D8095E20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323761Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.654{99D2EDAA-5FC1-619F-2D01-000000001002}21562232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323760Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FC1-619F-2D01-000000001002}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323759Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323758Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323757Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323756Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323755Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323754Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323753Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323752Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323751Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323750Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5FC1-619F-2D01-000000001002}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323749Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FC1-619F-2D01-000000001002}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323748Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5FC1-619F-2D01-000000001002}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323777Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A028745C6E4CB12F71CD7BF9502CDE,SHA256=A246CFF64A63B97B5F7BC9A7862E3E5F463E18BAF461975215C1009FE73703FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370567Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:50.872{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370566Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:50.872{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370565Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:50.793{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FAB448291EA0CB9A8E50DB56B77121,SHA256=C14FCC6E93E939C96DD15C1ADAB2F19A7640C944BD3B149B0AE2D8E4EBCA0C58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323776Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FC2-619F-2E01-000000001002}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323775Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323774Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323773Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323772Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323771Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323770Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323769Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323768Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323767Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323766Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5FC2-619F-2E01-000000001002}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323765Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FC2-619F-2E01-000000001002}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323764Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.514{99D2EDAA-5FC2-619F-2E01-000000001002}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323763Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.466{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEBB5D8621F51C3EA737F51C4295865B,SHA256=A79922D819C615EA7BF5C77A3DEDD3278EAF4E1C566BDFD9CF0ED88B7FDA836B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323779Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:51.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940F539AA132D31114204DEC47526B51,SHA256=687BDFF9D8CE06F2CADA32C40EC9E039FEBBBB9E5BD8B9A9FC5D2468CAE201B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370568Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:51.794{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC3919A0D5F32D77202AAE9565C6934,SHA256=460D3D194FC1411CB370BB72FD08B2B7CEF996EC31CB4ED230CE8FAC91C723E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323778Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:51.638{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53900BE33984D89057B20DB8DBEF0841,SHA256=35796E4A9E38CE5600A3CBFA3DCA01BF6CCB5A549B6876DF71F66CFF390C4C9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323782Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.770{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49994-false10.0.1.12-8000- 23542300x8000000000000000323781Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:52.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120E77F27CBFDC1383F99D25CE5A0F95,SHA256=BF46AA49F878C192F065D0F0B278E1F604D38781B159334AF673DBDDEE043146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370571Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:52.809{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49545D75CB03AE0A5D7315F737095D20,SHA256=2BD3C1B199E9C650DE73DBD0ACA375E905D74C51D62207E618EDAF01210E21F2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000323780Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:52.263{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0xe3937d15) 10341000x8000000000000000370570Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:52.356{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370569Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:52.356{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323783Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:53.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263A45DBA9774E8F653C253B6CF5FA8C,SHA256=4D7F2F2145DEA6C1EA630EA43159631FFED2D2CAD498789E40FF4357956883DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370573Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:53.825{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BF369FD93340E840648541B4BDE8BB,SHA256=9E095566CE479E1719CAA56FFE47AF5495C005CAB743A7ADE99898BD8D24164E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370572Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:51.233{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58896-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323784Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:54.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C9C8F8756017BD4C9CC3D2B8F54103,SHA256=C7BC3D1E77117ABDBB509F7062CCC28E90DE0C7758FA5FA86267063DDF1B0473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370574Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:54.825{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6509E1356CBE5EEAD3840F54D541C84,SHA256=4B626850F5165E3E084B4C3D1366B41A23B3E4B65471816A6D0EE8C36F7C18DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370575Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:55.841{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D977216B5AE8A3BCB183D79C7D90A6EB,SHA256=B12A3C89081595C9AC0078D404BE8F72F07CFEF4405A025544287460C7449A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370576Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:56.841{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2370E23EFAE9F306A4F36B28CE332A8E,SHA256=57F35B1EEE909759CF3EB62C4441444B55488053903E6E54B3645731206EBE63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323785Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:55.997{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7734AB3FD879E424C1EA49E21E8DA733,SHA256=5CDCA1F4963F9965B6E720205D0216D4283720FCC557EBBAA13FE0F00AC62EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370577Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:57.872{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4884E9CA72390EE22298815C6B2E925B,SHA256=D7EE21E0031B88E28FEDFBDD2D40F493D2ED9D4CBFF13A0E446607E12F43B01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323786Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:57.013{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3B2B4F5815A2A7DE320D74BFB8E27E,SHA256=50FF578C4626BB364AF77AEAC8659C12979BD98BEEAA311DF48AAC37D91C2140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370579Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:58.887{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78C4586002CF76C6DF33E7239EE511A,SHA256=2FC783F0C80CF10582E02F1503704B50A0B4B33929806E0ADE0E616E7D0F77A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323787Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:58.013{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18490A45876346B6698D58C3F4B691E1,SHA256=A4797A576C5F02B7155BFF74D1A8DE57359EBA257D5A5001818FC585EF912845,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370578Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:56.265{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58897-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370580Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:59.889{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456E391DEE616A0F59811A55485A1968,SHA256=321B61956CB494EAC09A52F129F47C820D977D46967C7DF049C76AB724071C34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323789Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:56.692{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49995-false10.0.1.12-8000- 23542300x8000000000000000323788Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:59.013{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2C7EA8A1C74AA278247EF5429787D5,SHA256=779BD7CFF2B383B329BCE38CB12E76248BFFD5CFB7D8D174058429D7E780E5EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370581Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:00.904{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A0A1D6DD6D28DD486F49422455DAC1,SHA256=9E9689E8A00C2403F181AD301572B9A391590948B4D2FAF3973C1585C2D57FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323790Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:00.045{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B69C25C0D067782493C5D8DA8FB30A,SHA256=ED9CE5E0253FD0DA3A7D448A81C1DBD6F140B041F214D7A3C4B44610E76A7697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370582Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:01.904{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7CE14C776E94E54F343014EE83F7D5,SHA256=514E5B2A05506B5F4F3477875EBEDD7373EA2034A59908931DE3613D33EC1314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323791Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:01.046{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AFF8A96E131BE46345EAC78DD38CC44,SHA256=CC6D23B71007AAF1342FFB440FBC10DC5C6C031AD9721D1AE41DBD7FB15C04A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370583Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:02.936{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE97B331E69039EF284730EAB8863552,SHA256=9B354EE7FE2F4047F3C8C895D77A02174528CE3E6759BEA054195F0293B52B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323792Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:02.061{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDFAFA01F0AD296926D33371325F372,SHA256=486E0C8C5A22F4C4A7369C354EF481C1A1AA4237543FC8839E6131C87005150D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323794Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:03.097{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-020MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323793Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:03.078{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656F9FE86AAF0BE951E04DFDED366046,SHA256=BAB87FD8B5E761EEB5F5256DE66004C101AA9267354C5557CB4FDC1D6573E7D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323797Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:01.802{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49996-false10.0.1.12-8000- 23542300x8000000000000000323796Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:04.098{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF8CDAAA7CA8FFBE58AD347AD803C9C,SHA256=B29C26146DD9523C395C6544B175A8115AF46F046A51707FB9DE0A1C59E081FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323795Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:04.095{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370595Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:02.203{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58898-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370594Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.624{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBBE9D90D354DD0A61F154908F60CFB4,SHA256=E2FB5BC84C3BF1D3AAFFA348CC473E498C37BB619952AD4D3E3BA30AB0A7ED3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370593Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.624{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7948EEE145EEB184E197E7BBF5D0B9EB,SHA256=E92EA7334FC5019F5D68D837ABEB5DAE5749E67E362C570C598A387320F94C97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370592Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD0-619F-6C01-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370591Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370590Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370589Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370588Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370587Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5FD0-619F-6C01-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370586Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD0-619F-6C01-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370585Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.421{27B459FE-5FD0-619F-6C01-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370584Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.170{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D959E26E2D1844ED0704C7B68EEE4B,SHA256=3C8508324B17DAB968C217EFD579BD046679277E3DAC3DE7460C4CB4FAD91A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323798Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:05.111{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089C6568FB60FE2195BE875A8D64C5F8,SHA256=8E0B924D9957DFEEDE997F6696EDC7FB626F5C49B82A45F1D03B6F427FEA4382,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370607Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:02.626{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58899-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370606Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:02.626{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58899-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 10341000x8000000000000000370605Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.514{27B459FE-5FD1-619F-6D01-000000000F02}53885608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370604Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD1-619F-6D01-000000000F02}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370603Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370602Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370601Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370600Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370599Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5FD1-619F-6D01-000000000F02}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370598Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD1-619F-6D01-000000000F02}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370597Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.265{27B459FE-5FD1-619F-6D01-000000000F02}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370596Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.186{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E730EB8D179F3A0382DCE51F13775CF7,SHA256=8501407C43BDDB690588864B97D512374013C9FDE2C722AB453991377E34673F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323799Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:06.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3294F52EA629E18C438A1597CBBC99DF,SHA256=435EBD21180E331D07FA4FE2DE0DF62B3CED783372086A052AACC95D5A214A03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370617Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD2-619F-6E01-000000000F02}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370616Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370615Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370614Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370613Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370612Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5FD2-619F-6E01-000000000F02}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370611Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD2-619F-6E01-000000000F02}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370610Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.406{27B459FE-5FD2-619F-6E01-000000000F02}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370609Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.280{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBBE9D90D354DD0A61F154908F60CFB4,SHA256=E2FB5BC84C3BF1D3AAFFA348CC473E498C37BB619952AD4D3E3BA30AB0A7ED3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370608Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.186{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA108BF43A2C27E51845EF0B2E4ABD04,SHA256=FA4E7F891A5E2C3FCF4093B27CEF55CC416C2C27EC539345DBC40009B464E7F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370619Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:07.405{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB5BA2149820340D8AA3522EC31394E2,SHA256=C0A8D4E4E560F9592D5A0C89B5DAA8301E01B6A0E99952C5A2E3A54CA328482F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370618Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:07.217{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953CDDC37F8B74A2BE33186BADC0C84B,SHA256=EA30127F77B34905A7DBEECE7F2EF3AFE730C5182A36FBB7962A0D47788008C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323800Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:07.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCDB819F71F4B0A69CFBB2CED641553,SHA256=4860E366B3C10727F338694B9D22754AD75D99A3BE5F49993EC09FC03E08D6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323801Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:08.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D83BE15532951D2F9E06FF80E874F5F,SHA256=1E346E72734A991841810D3B9455C439793F8457AD6C7A2F911AE5ABB2981104,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370629Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.764{27B459FE-5FD4-619F-6F01-000000000F02}58523172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370628Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD4-619F-6F01-000000000F02}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370627Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370626Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370625Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370624Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370623Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5FD4-619F-6F01-000000000F02}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370622Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD4-619F-6F01-000000000F02}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370621Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.546{27B459FE-5FD4-619F-6F01-000000000F02}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370620Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.217{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F49FF34E8C51FE4C77030B1FCA5691,SHA256=E2DB396AF34572B1C6F6CC0330EAAA7C0B301D8FF6AFD9BE9B8B48B8EA3946F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323803Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:06.805{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49997-false10.0.1.12-8000- 23542300x8000000000000000323802Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:09.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7D35CBE7EE707906D21A8509CC5D22,SHA256=D8AEAB62E8E06820D2A2CDC0B1F573769F2E59CB66128C332EB884FB2E204D79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370648Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD5-619F-7101-000000000F02}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370647Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370646Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370645Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370644Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5FD5-619F-7101-000000000F02}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370643Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370642Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD5-619F-7101-000000000F02}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370641Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.968{27B459FE-5FD5-619F-7101-000000000F02}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370640Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.733{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E0965C47E20E1E3D259EDCE8C65BA30,SHA256=45451C746CA89578D52F7742BBBAC7911596557809A2C135BDC1193AA2F20AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370639Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.218{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38BC093050F7EAB1C83BF08C961F4F7,SHA256=A035E50FDA17CE029B92BF4C2F065770562CD2CEE7622687CD8E4E8EF0BA9003,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370638Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.202{27B459FE-5FD5-619F-7001-000000000F02}48562020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370637Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD5-619F-7001-000000000F02}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370636Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370635Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370634Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370633Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370632Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5FD5-619F-7001-000000000F02}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370631Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD5-619F-7001-000000000F02}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370630Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.046{27B459FE-5FD5-619F-7001-000000000F02}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370650Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:10.248{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A33E05C9B922BAEDD5229B0E32EA47,SHA256=F7DE2E32EC378B76B664A8C3D30E2408CB9CA00EA380D36961918123FFFF9701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323804Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:10.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0D41949EF610B4F2AEF7EAE1F87DAD,SHA256=9C9CF86B9BBDB16C5BC96D599EA98DDC05CE47CE8E3C913940ECD225B444F3EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370649Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:10.170{27B459FE-5FD5-619F-7101-000000000F02}57441120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370653Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:11.264{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BB9E0FC622C9921F0D6215DCF060CD,SHA256=322E3C606C65A5C8CA57ACFA9E17791391B5CC7EB30D74F75012D89D55A16AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323805Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:11.126{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB285710C84A136CF438565DE563786A,SHA256=7C559AE9E36945F73C2A02C40546423CE34BAFBA95830D892E32C6E7B2937C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370652Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:11.014{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=294ABF3C7B1757C0BB8B037382313BB1,SHA256=FE28280FC321DF473CB6E901B5C27D08BFA9CF791D80AEB898BF6320AFAB5187,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370651Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.110{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58900-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370662Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.280{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6B6E5AB0945D9D8C7F41BFA42C0D01,SHA256=93C3562BDF9C907B60446D62804F9D89D83B19B9B8145A90644EA1F082E1EF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323806Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:12.126{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66AA96D3F49D9CD3242AA26A4F78392B,SHA256=A9E51C6194ECDE45D6D917E14DB1758FEFC8C085EF167704BF1BCB71ECF9BEC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370661Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD8-619F-7201-000000000F02}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370660Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370659Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370658Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370657Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370656Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5FD8-619F-7201-000000000F02}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370655Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD8-619F-7201-000000000F02}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370654Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.093{27B459FE-5FD8-619F-7201-000000000F02}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370664Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:13.514{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2A1A9A7FEB2337A9BB0FF0DB20F1B3,SHA256=F7D62F0886EB39FCCC45C83AAE4CA406231447B2DB92FD0C3EB749B2B4703CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323807Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:13.126{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996A155E17C8C38CF9A8452274FA15AD,SHA256=7367899106332E957C811573EA522AF470C62022F5CC632518939D12C98B1274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370663Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:13.327{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=954D5F30E3F22977568A427D56AA9B5E,SHA256=D1FB99E29B8CA8CCED36C50D1F1CB4DEEBE53DF3C609D5E7FBD9C30D173B455C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370666Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:14.702{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370665Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:14.514{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB37FFDEE5DB8255E6D2AF33E52EDBA,SHA256=6A4405A18B76E6CCA13D4799AB0B511A006D4DB204BE0E31C5FF4F32ABCCB7DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323809Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:11.836{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49998-false10.0.1.12-8000- 23542300x8000000000000000323808Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:14.126{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438F8E0DFED53C10BD5C1D4CE5B30AC0,SHA256=1BFCDD65864C82C2538A3AFA7795B91E61B377FC9EF4917A8C7E4502D5596F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370667Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:15.530{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D8F407A95251FBDA7151A59A6B89B7,SHA256=7FDEAEAA573C0CF30306EDE51A13D8DAE2F8DDC450385CADA166131952DB9D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323810Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:15.142{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD904316F8ED464F836026A37EBF7B8A,SHA256=04DF8510A84B59648D5EE03059CDA68936AE34914528170AC0F2117A6FB8A764,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370670Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:13.720{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58902-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000370669Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:13.141{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58901-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370668Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:16.530{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F6C0E32C2F2F05988FC4B55E106A1B,SHA256=6C2F503B4887AE463C9A563FB5645B639472FD58983A49480CDED2DF4017824C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323811Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:16.142{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C563DADB8B1819C51B4F38BCE471BA46,SHA256=40AE99D3D6B21BCBEA17FD407E72F0D18C49CE9BFD5A0F99A660CCCDAB5F959A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370671Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:17.530{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473E5992886524AB60C8E18D4D16A792,SHA256=13B469CCCDD6F57E9E90E3F30A290C8865BCEC5BC253E25BF7BBDE0028CA7BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323812Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:17.142{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19E4017A0F9FE0EDD1ECC6B04BD2B63,SHA256=5DA524182D783643DD77F1F5E2B5753188AE62741F14650C4D012774C07F8811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370672Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:18.561{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8231622C01FA5A926E6B7D72419B3E24,SHA256=0478FFC4AA7D5E017FCAFCD196DE845FAAE0C0811652D73FE949259A44175BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323813Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:18.157{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488C9898C7FC6FEE06DBF4D32FD5C7CB,SHA256=706C8438045A41F15A81AA5B70DA419329718435DB25D2E5C0EBE6D035B1300A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370673Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:19.596{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CA2C603B005C8626BEBA105FAB06B1,SHA256=ED74A5847959A21C350240D8BAF7A361E065D03A808A9809FF43CB2BD189C3CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323814Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:19.157{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FD644B0ACBD3B64487BD20468B9115,SHA256=DCA4396EC2CE04B53C48D355C48870FF07E35F6CC2BFF48EC4D1F4B95585C730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370674Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:20.596{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683B4C40B9014EAD12F2E6A2307D5D10,SHA256=49994A7DB55B7657A0993D222C226CFCC0C4415BC6D47DFCAC21CCE589FCE11C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323816Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:17.602{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49999-false10.0.1.12-8000- 23542300x8000000000000000323815Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:20.158{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35CF9C472447A88A0124C18638F6DF2,SHA256=084A0429743D540D10B56FDB7E696D3AC43A93F9AE45923820DBEF475D8C2D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370676Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:21.596{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134D88D9ECFC0DD29A87BC2F686FDF26,SHA256=0DE730C7B30B0618262FF6699E7E4D54AAB95F07497A28263FC34870939881C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323817Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:21.158{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C8EE020FF1DFA6AB88C260737B3C7A,SHA256=4C962187815F6369AC5D6F1DEADFD480950E6241F703CDE9B2F8787027479A06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370675Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:18.282{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58903-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370677Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:22.596{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBC90578E624F81C6403CD66C409E1E,SHA256=E7BAB0F2C729CD41033A25183722E2B4F701D0A85E1C779F865FAE8FB936A609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323818Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:22.158{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B6FB800B9C10EA47221037B9D1517B,SHA256=D34E38925714010B106CDB4B65B1455EA57AB4D38329D27CBC6A31279DB7E688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370679Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:23.598{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92527556AF9F6AC8858FC3C50DA01CE0,SHA256=D29EBD27F9362DB523061E9EE926B88AB03B4394B2A5AC3FFD7C35BC363B3020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323819Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:23.158{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13570E772EB85983CA36F4805294F996,SHA256=9FD8DFA295BFBDD54257938DEDC28A8BA9C13026E1D9CF6C3E089B6DAC5C5AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370678Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:23.225{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-020MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370681Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:24.675{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EF0F9FA012FAAF70F28C4593AB760E,SHA256=9F2BD6792A2BA49330C2966D6DF771705201C21E12EB54BA448EB77FEB9DEDAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323821Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:22.838{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50000-false10.0.1.12-8000- 23542300x8000000000000000323820Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:24.174{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74B644265243276427EC80F47FB22A0,SHA256=7438108A801159FA98733CFDACC8819407EA035622A02D182D13EF9E0F41DD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370680Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:24.224{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370682Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:25.679{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A809BC675353E16F442FAC5270F298A,SHA256=2AC382D395AFF6C3A1E9BEDA6E3C060C4A1118F42043B9F3AFA25D4EF667ACB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323822Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:25.174{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F046677E6E233F55D9C657695F2D95,SHA256=FD6623FD8AA86B2C9735FABA5EBE560F0CBE60702E075C540F316359E3A43DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370683Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:26.679{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CA8DAA5305AA9991738989C9F855B9,SHA256=693F3BB4F1D8C72F2AF64C14C06625E34AA7F0094ED58E56DABCD785D98E87EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323823Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:26.189{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590942A481A1277DBF3B777610628260,SHA256=04A333B47BF31F48F35DEC880F86483C4C84410DA1837DCF278BAEF9CC1513F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370685Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:27.679{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15771944C09144737E8D937174BBBCD7,SHA256=306736BD4B0CD5908CC0E82BE1CC95DFD45B10843A195DD63DD0AF160C379C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323824Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:27.189{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063106CE81760BA55705DF5C30BCB27D,SHA256=EDAA4ECCE8A8CCDFD17697DD432F85BE4F19B84A359416EA6177868EC74CD0A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370684Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:24.133{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58904-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370686Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:28.679{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6E2FB92B30B5E8490D326CB438F066,SHA256=268EF36CF51B68DCF61BC22BEE613D6078EBA35FE3E41F8191FEABB949B4F070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323825Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:28.189{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A91F4045F3643C8FBC6FD3CCAF3736,SHA256=54FFC8C90CCA2894BD3D4AF8EB19489473A3FFD35E282FD35FFF58DEDF6B2750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370687Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:29.695{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAF212797B1CDD512A39CEA053EE1F7,SHA256=D672B148C121F065749D27757ABF27B0EEB35035BE0324EDCC8D590417AD73C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323827Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:29.377{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D9BD9B7A541D75CF5259029B96FF45D0,SHA256=2BFF548904882CDB64E4A05244D902FD905C77BE09D316885D6F965F5A33C467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323826Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:29.189{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D44A9F753107E152A404B21AAF9A12,SHA256=949D27EFB61A8E5C40B6679D0486DB00BAFC3FB1973299B711B4A6C150E8FDFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370688Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:30.710{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F002B4ED78D70DA2D4D9B2FE430A5E3,SHA256=4CE36638F3F7E384340825CD972046C13FC62995A8B6815C2F149EE12720CB01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323830Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:28.650{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50001-false10.0.1.12-8000- 23542300x8000000000000000323829Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:30.252{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323828Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:30.205{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44178BEEB7B7D6D3348EE510B7C5B2A,SHA256=61A052A49518BF3CD083709A59876FD0C35EA118B6B220650AD91237E70ED5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370689Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:31.788{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817E2E745AA9FB4C4A79CA22A4AD3C5F,SHA256=C14F124DD19B48D835234A45CB74C4399292688067D6E9D84E3D86B29CD52934,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323832Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:29.822{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50002-false10.0.1.12-8089- 23542300x8000000000000000323831Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:31.236{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEE5BC4A1F14128679F7E4F2A2089F6,SHA256=D85131890D2A7A20EE201B70480C3593BBA17A7639304DC1CD95A754E8BD5828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370691Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:32.788{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E57D5051BCA58B89C30C302F0D7C278,SHA256=7C3F876F3517C3B6A3EB14C95BABAD41AD544BE39820526ABFAD94D5571D24C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323836Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:32.236{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDF888C632EA50C37263BEEBE1F9DE3,SHA256=7BC7DD06212DB098D9D120EEAC0E763B4D1C1C8C8A130733B51F97D2D7F9360F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370690Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:30.118{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58905-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000323835Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:32.064{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323834Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:32.064{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323833Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:32.064{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370692Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:33.788{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F32CF8F13DF153C75B7797C1AA36C44,SHA256=FA02153A09F9596B70B8C7CA6901E9E4A3DF008E76E4651292B1925413D135E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323837Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:33.252{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20D1BE177C4E5F633EE16B924E837FA,SHA256=62D1E15B83CC84C3D745383C808937D734ACCA8BF12801CDB67504B6F8EB9CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370694Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:34.788{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982F3B84522ED27FC5F4981F304E24B3,SHA256=ABC86B7FA63B02653D38F291470BC17CAE649758E35FEF75CD4D0B6AD8D4C550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323838Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:34.267{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146554EE719B1A5A86265A4FC40B65AC,SHA256=7E42FF420A7EF272AE53EBD98C7413AA36C61285CC934F9AC22C5F4F4318F9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370693Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:34.429{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=325ADA20E84E4205E771A3B8A3F515A4,SHA256=3A2FB34E03A10D57422B6652E69786D29FA3544BBD1BA80EB0CE779B43875179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370695Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:35.788{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C32AC7FC8055AA1B2739DFAD3D4B8FB4,SHA256=7CA3AB054876B6FCEFECC928405D6A4E58CC1D137E05183D032C077CD18A10E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323840Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:33.744{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50003-false10.0.1.12-8000- 23542300x8000000000000000323839Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:35.283{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3936783DBD8E43E22AD09C02186BA1EE,SHA256=8B5932BE2A0C376D5458F29B63D00D6CE114527B86EFAF74345AF5586C6C0C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370696Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:36.788{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88BD9DE722A152FE1D3049F432986374,SHA256=9CEBB0F730E6DE1139B38714B0891A5BF1C849E63004B50F280E7EB0E3CEC79C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323841Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:36.299{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BE3842C8BE5DB556A420CB982786A3,SHA256=989EF3D4E5F8C9ECDF10EAD0E0472B3D6B785BC716E0A0C63264B5E4196354E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370701Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:37.789{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00536F36BCC69D4108E99AF35DAC592D,SHA256=DE7AA3CEDA72AE9E9F6F66DD919F421BB68BEB030EECEB13B245A9EE31106FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323842Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:37.314{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4282C5AA840939752B3C0939201C7BFD,SHA256=AA59883B9732D54911D6E4576177F9DD4C8E1027FDAC00B5A46BA4465D01481C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370700Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:34.764{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local60048- 354300x8000000000000000370699Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:34.761{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-266.attackrange.local64116-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000370698Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:34.761{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local54409- 13241300x8000000000000000370697Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:05:37.289{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0xfe69cd54) 23542300x8000000000000000370703Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:38.789{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032C7C2BE2E532FBD13AA6EBDDAE984E,SHA256=C56EDAADC592989F25D5FDDAB19D43B36152B68F654ED3F41F44142D58099CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323843Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:38.330{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576A756209DB5DF79E3DF6D6EA1DADC7,SHA256=F4F37746E36AA79A96BAC301670D13F3060D9C79269F0A46452959F299F294A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370702Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:36.087{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58906-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370704Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:39.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DA7460163EA34D63630807987E9F1C,SHA256=A6EAA1FCD23763D0DC084967619EE02609D3C53742561559BCEACA00C630EA4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323844Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:39.330{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A6B33D8FAF3F747678CDAE779E0CD3,SHA256=7A543F26BC27B601F10281B12088D2EE776422FA74302CE817E91C40D494E6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370705Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:40.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10879A386D6720385185CA3731887E7,SHA256=067F3AA7ECDA0412966A30B33E434D5517F7922C5AB5185652E04285FDCE3D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323845Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:40.334{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8CBCBA443BDD505890BAA2C8A412AB,SHA256=E4E6BB6B130B0D5C9A794B3E2752FFDBD7951924D54CE0FFA9933FD23A1FF322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370706Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:41.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AA697A102B4206C7FAA1A4D951BC7E,SHA256=1DCFB70180904726569EFCFF4C3153FA47B5D60B64E3E0B3F6C9006EAD6CA056,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323847Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:39.639{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50004-false10.0.1.12-8000- 23542300x8000000000000000323846Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:41.334{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0821EFD59705010E1EAD4D8013E32928,SHA256=2BDA4BB7C08F97BB330528024BB5812646109EE9727C74FCB3CE38EE4DF765D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370707Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:42.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B926EB801C1B9263B685587C3BD830,SHA256=AFA7956E79D7F7FFFD286DED1562F39AC88F2BAAB533137952C12791AD964E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323848Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:42.366{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A53DB871F69088EEADE05D40B4F803,SHA256=D5DA0C4E6D52BE9C63DE1F31ED3D47C6B9F36B4978DDE03B23288DBCDAC2D961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370709Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:43.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A32CF9B6BC3DBD24B658C3DB4E3D924,SHA256=CA77E669831C87A90716B02DB03D2997ADECE03F50B5D1F71A00C639A2AA7201,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323862Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FF7-619F-2F01-000000001002}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323861Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323860Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323859Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323858Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323857Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323856Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323855Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323854Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323853Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323852Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5FF7-619F-2F01-000000001002}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323851Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FF7-619F-2F01-000000001002}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323850Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.741{99D2EDAA-5FF7-619F-2F01-000000001002}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323849Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.381{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F428698BB865A74092B1E3EA4FC3E75B,SHA256=9063860EFC864241B354F3414DF6338793A44D68294574280AF276672D72CA94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370708Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:41.087{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58907-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370710Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:44.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954E01380F68C5CE1C11378A53FC0CC7,SHA256=0B755FAD0EE2B46F79A634935C5210F3B9F82C997D54193A1F352C68F722AE07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323879Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.959{99D2EDAA-5FF8-619F-3001-000000001002}25201140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323878Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FF8-619F-3001-000000001002}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323877Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323876Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323875Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323874Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323873Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323872Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323871Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323870Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323869Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5FF8-619F-3001-000000001002}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323868Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323867Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FF8-619F-3001-000000001002}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323866Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.757{99D2EDAA-5FF8-619F-3001-000000001002}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323865Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.741{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A058FA3F493D9982F12287FD71EBDC38,SHA256=C4F7004FF7FE006FEC649F62DDC6BC5B77DB0B6DB4DFD4BC77B337605517E0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323864Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.741{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE9FB0912F50F0680AF4758EEE69F2E1,SHA256=8864F6E37CE8F1B9776262A898723BB8794A9F2E8D74018C830AB18C7CD82C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323863Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.397{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD054DCC0A846D3DA2A21B95B83EA7CE,SHA256=99E7273A98686EC20E054D48D5EE25B8B0563EFFD92F82CD0AC8C5B4D6E9EEC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370711Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:45.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAEBDD2F4D93DEC068CF29AE69D02F6,SHA256=410E7B181D2BE78FAE4E8600604B6E8C7080424869B1EDD8C5EF73DF018F2B55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323894Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FF9-619F-3101-000000001002}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323893Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323892Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323891Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323890Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323889Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323888Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323887Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323886Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323885Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323884Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5FF9-619F-3101-000000001002}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323883Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FF9-619F-3101-000000001002}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323882Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.899{99D2EDAA-5FF9-619F-3101-000000001002}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323881Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.834{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A058FA3F493D9982F12287FD71EBDC38,SHA256=C4F7004FF7FE006FEC649F62DDC6BC5B77DB0B6DB4DFD4BC77B337605517E0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323880Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.397{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0C5806C74DB622391DD2B31D642115,SHA256=721C994372DA4B3F58235416B983D44C706B76C3D31F08B6BA210339EA7092D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370712Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:46.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550D715B0881B297C52C364CBF50F261,SHA256=09E6FFDE707A1AFA49AAF305220DA68C8234A1CFF0241C058D5CE36260EE9C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323896Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:46.897{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1DCAA8C5E4F2CEAC1EB0AC5D8120A13,SHA256=7E1F653DED0D931D0ACC1CAFD58370C06B06B5BC6667EFBDA04729808DB33FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323895Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:46.412{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDF30428C521682DE920FBF12ABB426,SHA256=A9F3060F2CD3688349766C53DC651385696D2AE5322B7887A6AFF54309282327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370713Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:47.820{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C33D0C6B7DE887324A056D2A07082B,SHA256=1A9E3294D130DE687E20562FE9DCC794F87614711568B60D061D2A15B04CDA3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323912Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.678{99D2EDAA-5FFB-619F-3201-000000001002}25723648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323911Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FFB-619F-3201-000000001002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323910Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323909Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323908Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323907Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323906Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323905Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323904Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323903Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323902Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323901Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5FFB-619F-3201-000000001002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323900Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FFB-619F-3201-000000001002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323899Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.491{99D2EDAA-5FFB-619F-3201-000000001002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323898Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.444{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F325FCB3B20453266267DA67F39033,SHA256=C081BCCB5B42738C92C641B10B6C108724E571D39AD2FDE4F0F4034F19057C06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323897Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.780{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50005-false10.0.1.12-8000- 23542300x8000000000000000370715Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:48.820{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A8513CDCD8FC6C58B24316FE509F348,SHA256=988BE5293C34E733A46886651F418051AC9B715E8FD66012B1CDCDA51D577E30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323928Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.803{99D2EDAA-5FFC-619F-3301-000000001002}25003420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323927Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FFC-619F-3301-000000001002}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323926Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323925Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323924Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323923Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323922Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323921Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323920Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323919Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323918Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323917Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5FFC-619F-3301-000000001002}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323916Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FFC-619F-3301-000000001002}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323915Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.616{99D2EDAA-5FFC-619F-3301-000000001002}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323914Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.506{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5D4466E9A043B957099115F7AB49D6,SHA256=22320C5EBE3F5CC6351450B0C2340D1B2BC87F2808553F47F3F1810E09253CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323913Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.444{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E1B7C653ACEDC0B1517C664560F4BD,SHA256=B8BFCBB3B07E609B739BE08446F7D04A15C06984E994BB169002F742E9A9976F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370714Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:46.196{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58908-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370716Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:49.898{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A8BAF0A551F115F235293E6F6FB1CD,SHA256=CA31C1D828290EF8BDBC0EAC510356A1B7617E21E6D2B0B160D69353CD99B0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323944Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.834{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5849BCB03184E240929EE98E3A91BEF2,SHA256=8DF5C5715E5901DD3DFABCC195B8ABD51D5FB49A9045A7014ED205824E695161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323943Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.787{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03BCE2BFD1F0BC7738D595EB9EDC9C65,SHA256=B140DDE92723319029F893F0D86850F87B0BAEFACCC0CF37E21459704631349E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323942Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.584{99D2EDAA-5FFD-619F-3401-000000001002}34723864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323941Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FFD-619F-3401-000000001002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323940Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323939Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323938Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323937Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323936Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323935Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323934Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323933Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323932Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323931Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5FFD-619F-3401-000000001002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323930Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FFD-619F-3401-000000001002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323929Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.366{99D2EDAA-5FFD-619F-3401-000000001002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370717Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:50.898{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9D667530B6B977A02E582DE171458A,SHA256=8B88B9078CA384AA7B9AA6087BFB06F723C59EF3F81A5F374889F9A0ED1FB5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323958Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.584{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F981136676061818BAA50FA844A509F,SHA256=94D0CD07E5C9BB5E992D482E42033C494DBB5BF714A5512669F7A4EDD606D775,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323957Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FFE-619F-3501-000000001002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323956Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323955Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323954Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323953Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323952Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323951Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323950Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323949Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323948Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323947Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5FFE-619F-3501-000000001002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323946Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FFE-619F-3501-000000001002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323945Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5FFE-619F-3501-000000001002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370718Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:51.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2532772474E56FFE4A219132B3809E,SHA256=8AEFF4CB7551960BDF94731A36EDE8E6BDC98575E2DA7997A673EA2F7542BC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323960Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:51.740{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DCABDFE3D43C37B36ED0E2D054C31F9,SHA256=D656D9BBD03DF01EE7E5FD90849CAFB9B5D416BC7D1EC0100FF6196249D9AAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323959Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:51.631{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164F705C87AC84546120BBE6D227D89E,SHA256=BE712FC8408098A55FD444489683AFF76A492495FECE1F943D02B40511ED4272,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370722Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:52.945{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370721Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:52.945{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370720Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:52.945{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370719Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:52.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D0252EE1D538DC7441B0EA5DC0E084,SHA256=3CF16FE46FFFBE76035DB0337314C84C049A4CC653CF569A62DE2AB7A686CE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323961Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:52.647{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A136298E25406BCBBDA6099ED5C9435E,SHA256=4C42B8438DC26CA4197E8A91AAC73DBBB5F3D5D8C54D5913E1097A93A61C34A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370723Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:53.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A76F983D53CC4E53EE60AEB4AB58DE8,SHA256=917AA04EAB7F84221F81D625F209AA0C5FF72E94DEC2AAA766BDD37B1EF36DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323963Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:53.678{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49683A41C5313EF0E05B914ECD7F2AF,SHA256=00517F40722DC11538C58533F5CBDAC24758C1ADC5BDB457D00D423B575A8546,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323962Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.795{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50006-false10.0.1.12-8000- 354300x8000000000000000370725Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:52.134{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58909-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370724Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:54.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B41577F81F95F81D292C68426843C7,SHA256=AF4160F92690DF3FA3F3D0A3E1F08CC8AD538898B9671AF427CD2C7F921340A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323964Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:54.678{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004A25B87977A4FDA88B25EA47B72FCA,SHA256=26FFC7CC07C3401D198AB37E3CA35DD301EBFF2009F204EBA9E413CA5306FBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370726Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:55.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66CEBB40B6804CC7097E41601C278D5E,SHA256=94325C878A5D6C90ADF7B56BB447C138C0D1CCFFC939003A03D9A0CA4188578E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323965Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:55.678{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE213271B09F3A4A3519458EB632D73,SHA256=F6AE2DC0A629669067CD3CF0B46F36577CE6AF0FCB40FA5273B06696AF540DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370727Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:56.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC1DC795F949C05A8B2DADF09A01382,SHA256=3DEF58C26FB5ECBBA5B81C0C28ED2E7BDFD73A5BEFF5F347C5EAF617FD84C4E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323966Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:56.694{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947172DD254D0656256340981CDF58DE,SHA256=4B204CBD2BD9A9F5990544BBF0190B5FD416376ACE3FAAC92BBE83B7D001B2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370728Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:57.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D469D7DCDB5FA1DCAE484D2664C3CBAE,SHA256=EA3A7B3AB71F3BFF9E4314FA6E475CC9D4D5398789413766D1BDDABBA06D1B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323967Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:57.694{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687A5A614929FD51932BA0F999ACD1C5,SHA256=59A1584B348B1AAAD60359C9590D18AAD38D8968529D6CA47EACAC6CE9613B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323968Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:58.709{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF5B3F8CF2FEFBF0C9400741CACA6D2,SHA256=A754A53F2778E376B850DAAC84AE5C1B1F5887A9A5FE4DDF49A21EA62CA766C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323970Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:59.729{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8154EF5C71201915659EB3A1376BCD2,SHA256=9C5A0B71448B7389E971A552FB53CE75D2C5664B5B2EF28903B3F048C65BD401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370729Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:59.024{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB6097DB35AC6CF42C18D9AA55E29C2,SHA256=608737F0836D6503B81081B9E4A5A88F6B9773936DB430E72CBEEC7C2ABF3D28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323969Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:56.655{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50007-false10.0.1.12-8000- 23542300x8000000000000000323971Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:00.729{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C558ADEF9DAFCA9A00E265181F522490,SHA256=88E424CC55F89A257938FF3E965683A21665C8321427E53EFD9CDF2D5FA5BBCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370731Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:58.118{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58910-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370730Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:00.075{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE66040C3FCD646A4DAEC87A95022BFE,SHA256=6756E8A8BFC7E561F571DC19E7D811EAD7828F524001AE0D883F71A4B8A90255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323972Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:01.745{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C043CED2BFF0B9D7FD8BD2BD93D30D2,SHA256=1EAEC2FBDDA942292873DCACFCB864FD0B2C22A7B843B8B6B006653571C491DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370732Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:01.294{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F52438A7CDCD083A3C6A52FD6961714,SHA256=EE670ECB9AA07BF8DEE86458E7D730A5AED39F2FDB403FCAC393C8040B063F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323974Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:02.839{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9795D227D6CF2A19AA7CCE06E14C653,SHA256=7D0BE09978F2633DD651941F2CC1971EE39476B4363F6CA7F4C717EAA8C58480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370734Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:02.325{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F36A9A09E2CA43D13EE78AC3FA3CF8,SHA256=A57C8A74DB10F6424C212CD0408FCC74303C9392AE307AF37D1F44A1CD51BAA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323973Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:59.787{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-61.attackrange.local50368-false10.0.1.14-53domain 354300x8000000000000000370733Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:59.234{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53domainfalse10.0.1.15-50368- 23542300x8000000000000000323976Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:03.885{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5FB29DCE1D4805327CAD47A01A187D,SHA256=62CF648FBB34E4492201C6050FB054785D831032AC97ABF3465EDAAF5170830D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370736Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:03.325{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551A227F52D8D5C137E12CE64597B1DF,SHA256=C8D0012B9BD8D2561EF4CA0D6B893431DE970110F746346566033B7A251E0804,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000323975Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:06:03.495{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e4-0x0e089235) 354300x8000000000000000370735Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:59.235{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53domainfalse10.0.1.15-49524- 23542300x8000000000000000323979Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:04.890{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA94CFF35642E02E3C10FF749C1287F,SHA256=55E6436A33DAD85840358D547D89AF861EE70A05178E9084E21328503C57853A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370747Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.610{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5697452B158D315769C5ACDE019C8F5A,SHA256=CD14ABBC45A7710CAC1F5CAB289DEB603F59F38A29CE61035488F5B976A28C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370746Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.610{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C37E443880EA4087D1ED7CE894958A13,SHA256=C8E164AF34C592A7005D03B17F71DF43B46090F8449AAA5DEC17B93423672C17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370745Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-600C-619F-7301-000000000F02}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370744Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370743Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370742Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370741Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370740Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-600C-619F-7301-000000000F02}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370739Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-600C-619F-7301-000000000F02}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370738Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-600C-619F-7301-000000000F02}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370737Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.343{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29319DF0C0347AF1433D2F0E2BB0075,SHA256=CEE12709836995BCEA00279BCD76F2A3B0E274141EF7DF868B90F3304A8F2814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323978Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:04.624{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-021MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323977Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:01.785{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50008-false10.0.1.12-8000- 23542300x8000000000000000323981Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:05.936{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC70FB9A977E3442939BFEE1A9B493A0,SHA256=E71F95CAA13E391F15AE78EC2B101567F414087069DE71D74CEBFDA418D2F504,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370759Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.484{27B459FE-600D-619F-7401-000000000F02}43323912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370758Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.359{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FE5E618659DDB1C66B7A82EEDBA0A6,SHA256=055A46F4E15E2B15A20758ADFE0B4AF6A3717B729729700758095F54A3EABC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323980Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:05.626{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370757Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-600D-619F-7401-000000000F02}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370756Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-600D-619F-7401-000000000F02}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370755Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370754Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370753Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370752Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370751Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-600D-619F-7401-000000000F02}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370750Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.266{27B459FE-600D-619F-7401-000000000F02}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370749Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:02.639{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58911-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370748Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:02.638{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58911-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 23542300x8000000000000000323982Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:06.969{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D55DC0D263F1C313606D90771459FBD,SHA256=CDDBA82AF86D240D34FDBAAFB8DC822ED8149906BA73E2DB32B4A826CA0C663C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370769Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.469{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BD1D79845E9D02511B716743CF6702,SHA256=0881A50C188B0239C253822C3D5DCC26FBCA51446C677407D8C6DFAF785FA2A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370768Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-600E-619F-7501-000000000F02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370767Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370766Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370765Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370764Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370763Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-600E-619F-7501-000000000F02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370762Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-600E-619F-7501-000000000F02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370761Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.407{27B459FE-600E-619F-7501-000000000F02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370760Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.265{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5697452B158D315769C5ACDE019C8F5A,SHA256=CD14ABBC45A7710CAC1F5CAB289DEB603F59F38A29CE61035488F5B976A28C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370772Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:07.469{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E5EABC42A7D8C8118CDE42DC9BCA1A,SHA256=DE7541CBC7B6BA128695D7D092BF39F309BC95BCDC6ADEEF11C903862D0576BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370771Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:07.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC860ADAD82F8768644AC43D85FA33D2,SHA256=ED2C76921C98EE1F1AB0677660B548EA0A2DC95077CBD1D854C642BB4187EEF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370770Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.077{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58912-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000370782Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.812{27B459FE-6010-619F-7601-000000000F02}1124596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370781Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6010-619F-7601-000000000F02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370780Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370779Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370778Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370777Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370776Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-6010-619F-7601-000000000F02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370775Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6010-619F-7601-000000000F02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370774Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.563{27B459FE-6010-619F-7601-000000000F02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370773Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.484{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38951E4473B8BEC206E370CFB68AAB6B,SHA256=F30A3C9A7514CAD149849A5FA3956430CC716F6EE79066987D2B4718790B7875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323983Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:08.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB617DB1526FFD506B695443AEC63074,SHA256=4971099C35A83B7F25EAB99477287C02BAEA202BEDA65CC14E9C61B26992ECDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323985Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:07.743{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50009-false10.0.1.12-8000- 23542300x8000000000000000323984Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:09.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DAB42A6DE8B2D10201E176C9F8BD42,SHA256=B1A6A940F361F81244AEDD06D261CD1856874240FF8991E1C081E82A1B092196,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370801Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6011-619F-7801-000000000F02}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370800Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370799Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370798Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370797Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370796Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-6011-619F-7801-000000000F02}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370795Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6011-619F-7801-000000000F02}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370794Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.924{27B459FE-6011-619F-7801-000000000F02}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370793Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.562{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14AACE75D015E5951BA6726669CEF8C7,SHA256=F4865C819E833C7EB8FD5810984DACB4BD9A78FE388208676FF25DCAD4EB6683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370792Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.484{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882E3B9497BCF15DB634FCB63F0D81A5,SHA256=DC787FAF7D91B03E9B731C5A8A6E20209D305039E48A2F1569E10F575B89D7D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370791Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.250{27B459FE-6011-619F-7701-000000000F02}6032360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370790Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6011-619F-7701-000000000F02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370789Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370788Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370787Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370786Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370785Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-6011-619F-7701-000000000F02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370784Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6011-619F-7701-000000000F02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370783Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.063{27B459FE-6011-619F-7701-000000000F02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370804Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:10.922{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=238BC1E9A6CBA15D7CE7DC6F64FCD985,SHA256=F904B62079F4F84C0461BD7E01140212CE8F4B5D6C845BF35E5BEAB8F07DB0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370803Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:10.500{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786376363DE66681707C10458F321FF2,SHA256=3DBD6CE3F995DD97E11C0D15A0BAEA5D1ED617C6EE0D8FC263EB27CBDDF03D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323986Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:10.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F914AF57C7D3ED6477D46FE8E64AFDE,SHA256=7C4036F9441C77577C17A6803ADC23E05729AB87BFC919891E35FAB76CBFC1DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370802Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:10.109{27B459FE-6011-619F-7801-000000000F02}5882236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370805Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:11.531{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A66175F2280F22BCA01D4DB13AD458B,SHA256=B10B77A4803C956D7A0BA09251D477116C8B5334598D14E8A5053BAF3ECE1C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323987Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:11.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BC2321B26A053F2280D0481B0BC805,SHA256=5B4BC41820B03F26EC11AE695C6A6BFEC8A77A745F833E7E84C84DE5B59683F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370815Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.531{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FC9DA9305C39DE4209BB68B11ED455,SHA256=2DFF4CECE30B42BF648CA299865C39F659C3E30CDAB455DD9198B16C4AB57DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323988Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:12.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C754ADDAA544A390604EFBFBB239C07,SHA256=9F049B3462536D7D4C58F808215B915709FAA0C614839EB9F672DCBB5D96042A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370814Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.154{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58913-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000370813Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6014-619F-7901-000000000F02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370812Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370811Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370810Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370809Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370808Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-6014-619F-7901-000000000F02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370807Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6014-619F-7901-000000000F02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370806Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.110{27B459FE-6014-619F-7901-000000000F02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370817Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:13.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2553BE91B7E90D120FFD11016ABA4120,SHA256=F859546FCED2FE8D15501DBFB7B29FE819104111D9F478E431242F5D2D41AF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323989Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:13.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33B890E9E21886DB90762B702BB5742,SHA256=CC2691580BBFF42934B310B45EE418031B44318169EA3BEDECB96A69A5FC2465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370816Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:13.109{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA4704175E0B0048C981B14632ED3033,SHA256=ABEFC33C2FF8A043738A192B957D81C1CBE3E7BEABD0599194D88FDAFD20A76D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370819Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:14.734{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370818Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:14.562{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDCE685B185406FA421813E80BC002C,SHA256=E7BF3AE84E9FEECC82EFEC24B15C329C457A597B86384055BDB1C3913BD2CE56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323991Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:12.759{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50010-false10.0.1.12-8000- 23542300x8000000000000000323990Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:14.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B294319BCF9164A1C7F9CC40E173B1A8,SHA256=BDECD4B507649E6548341E8F00514A1C91383B7809622BC6D2D7BD47030E1FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370820Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:15.562{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C4A252E239E318B289C38BA0E56215,SHA256=F11128ACB7DD41006F211D171E990657F72DF3439C384CD0997591ACBC311471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323992Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:15.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441F8544396390A244978C0834996F53,SHA256=3486F81002DADED5BD5FAD25D1CE57F191CA2DD1D13496B23C8165E5B6602643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370822Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:16.563{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED414EB827A0DB99C43F911B4A3AC6E,SHA256=3A8136C23D227361DBE64F9BD80DF584811C5D32E26C5CB4936CD9DADB0390F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323993Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:16.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6D2170CA4AD6493AF0E11E5BB3E0BB,SHA256=B6EBAEDDB5AB73A56A500B41563BF213C28963D6674EC2DC1808C16384574A43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370821Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:13.749{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58914-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000370823Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:17.578{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86630CAECEF28F579CFA10D92B1200EE,SHA256=3DADD4383C77A28CAE36E367F837B3D909C230632E7C4A7289357E5E20779F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323994Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:17.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C7D50D350218514424FCDDF07CCB46,SHA256=F9FEA1385F5ADF8A271C6E4BF072E5F073F94EB7F401D10D84FB08F44160D0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370825Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:18.578{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1BDBE0E6EB9DDBE13694660316A562,SHA256=FF8CAE246932CBE17BEF0772FE041B671F6D040A28D3B1FC9ABA155C7E67FFE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323995Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:18.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADA51835457A00B25E893A349749687,SHA256=66C7936E2DA405422C6C421AC8A64906772EF2E774FA7B0008DA2E7C5BFBC80C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370824Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:15.154{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58915-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370826Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:19.585{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C925422CE35B532FEA0A7CBD90C721FB,SHA256=C3A52DF363C7264D5849C8357A3B198BBAD5CE921103B41A370D713FD09E55BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323996Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:19.141{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE561248326206AEA71C776A8BF30527,SHA256=04873A5470F2760F55ECD094F700A7353AE6D7336CEC5C32BA400D7BB8DF51A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370827Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:20.585{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060ADB73B8EFB675717F10A4C039D706,SHA256=B8393D629498DEAC38817C385B15BB8E1B3C3EBDE23F4F0B95F09DFDA3D043FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323998Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:18.743{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50011-false10.0.1.12-8000- 23542300x8000000000000000323997Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:20.158{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B539211DFE5D86173329884DA1299A,SHA256=C4EF0C0F08F5C62F80039C0DB1379A52713985FA38EEF52DABA26B384ADBA59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370828Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:21.601{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378227930B95152E50C391B20D52A87D,SHA256=A5488A80A1D4068DBFF1AE20213DDE5D0C2273EE76C7ABF9B492A1E029E4FB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323999Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:21.174{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7320D9CF3B5D2B759570837BA2A40DEE,SHA256=327C6BEC7CF726C1F29375B151E671746D65957B2FCF58ACA02B4CBE4D7C0C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370829Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:22.648{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F9BA95EAE070C2C32702F9990D9297,SHA256=FBA1F7A7562C77D66B0CEC2AD8951C6AA900D5E3F724E5429F0BAB5EA67698C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324000Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:22.205{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08AF5AA3C47C2D7F3A0F635EE3F7CBC3,SHA256=E1C4C87BACA3269CB5B5922B75AA31C69E00220FDE6E65B8B08373FFB009A4FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370831Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:23.648{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A013E3C25DFD79BC539295EB7DFE956,SHA256=0B171C94CA84B45633B6FB1A015182585352F68C7A4D6E27299C49DCED985B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324001Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:23.236{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DFAA959264289DF9CCCF79F69E8F48,SHA256=B0571EE84DE072C93979ADE7D6DBC9ECE500270053B5046FB5F1BFDCB2C10BC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370830Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:21.083{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58916-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370833Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:24.748{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-021MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370832Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:24.667{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D400DE0275EF66EA95AA2521989912,SHA256=849472C8639441D9C0F0D58AD5AE0C5AB588664A26A9B8CF5C24AC0B455D0C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324002Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:24.268{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1D2804437DACA7B827F78BFD185D84,SHA256=589E616B9BF5B6842C5303D781D46560D48271BDB6A007A250FEBBE75CF60509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370835Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:25.747{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370834Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:25.668{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E7D0A9301CCF1640491542B41B373C,SHA256=5E4B1C4A1BBFFBB59FD10A3806B60DA1E7C2151BA010AEA8BB77AF729B2D3198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324003Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:25.283{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431D9A4E36589F835646392BE3652507,SHA256=1F5314F25E11448EB997C72DFBF72516EB26A21CA164DF14767D886B944DE77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370836Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:26.687{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25AEFC8DBD64933E2ADAC1E20164C61,SHA256=07C778842D01288ECB7099A267FA7E1D0CB9083F14F6D73CAF077B64AC140C5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324005Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:24.636{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50012-false10.0.1.12-8000- 23542300x8000000000000000324004Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:26.283{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E103A80F9FF5FE67FEEDA86E9E0F0B,SHA256=8FDF67E731AF05E5371491D60B1DCB0EA6DF75E8C84E0A25AE46C9F175ACC5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370837Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:27.687{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8683130C25C429E0C727641476D78C,SHA256=701F37A484664B2167D63FFA0B5B4A2D2474ACD46BE475C82F0BAFD7D7989614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324006Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:27.299{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BFE20B2A6E7FA64104DEC0A52ED0B38,SHA256=7FE326D9EE31E8B2525667CCBA5C3075F0C063DFE23EA26CA7D2A56D4402B3BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370838Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:28.687{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95647BAE31A0C766C3A871870ECBBED,SHA256=CB293F5324D2B08392262DB0FF794F227ABB01D8C330C48FF7A90D1329317C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324007Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:28.299{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB5F4B2D97DF8AD3AB7CD99BEC914C8,SHA256=BE4724F7833DF47E0F372D746B226739EB59AE5364E918F52122FFF41F54C9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370840Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:29.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A934352160E1D875C3421334300750C8,SHA256=2629CE91786C3333C306F3AC041D4D5780777ACA61FAEA499FD6B84C8CAAEB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324009Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:29.377{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8811C59BC1E6D6B4742F71260183D48C,SHA256=6D2201DBA46A15B1381516C57D5C538367D0F9A99F38888CF32D658809720A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324008Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:29.299{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFEB02E4223F6FF7979588EE3DB8979,SHA256=01A856112306D732A95276F20F4F66DFD3FC75F4B390AF8211A06CFCB2FA5FC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370839Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:27.059{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58917-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370841Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:30.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5B1AF5F746F70E58670F630BF83AC9,SHA256=B97FA02D6A4D691DBE2E7AF477B58A5CA7A9342089AD223C3E6E35B86DD8959E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324011Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:30.299{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0911A4B01ECB521B49188F8AC162EB91,SHA256=14F913D59A29A139708AC6A6DF722A0CEB922AFABC6B3FCD22D0203626B5B133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324010Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:30.268{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370843Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:31.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7317D3D0DCF99572118E8D358618A1D,SHA256=008A4A6698503069A7C40284551234077927E879E1595F4824C1F157AFAAA3E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324014Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:29.839{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50014-false10.0.1.12-8089- 354300x8000000000000000324013Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:29.792{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50013-false10.0.1.12-8000- 23542300x8000000000000000324012Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:31.299{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBD5E421909C240B9708A2FF898FAED,SHA256=B9107A122DC64CE8DF3FA6F3180ECF6EF3D179FD7F596B1C1F86F82989140891,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370842Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:31.562{27B459FE-5AC4-619F-0D00-000000000F02}8964808C:\Windows\system32\svchost.exe{27B459FE-5C04-619F-AC00-000000000F02}4356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370844Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:32.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBC7133826ADC0C037EFDC8AB1E29F7,SHA256=F0F21C312DCA3CB6207066B0FD724CAEDEB43ADFD42DBEA301DB98377B37C4DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324015Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:32.314{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEB06277F18680C87D9940708E44DD0,SHA256=11E982ED2B3FB80C415F55E1A51EFA38CA0C90B29A4272FE99272A461825F59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370845Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:33.718{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D4B51054DFFD2D189DFC0FA96D29DB,SHA256=0D3CD24093F2B6CF2FDCD6C1582B8EB958D20FF496EF6D227CDD3DE1E785332E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324016Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:33.330{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BA09E0185DC5D523786D1864BDFEED,SHA256=181604B205F370A669450B64C1A1F780FB2208774A6A4B2C596D5DA0791C7C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370848Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:34.718{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252F161EF181C7333C8D9BA26930B031,SHA256=3178D394DDCDD3A629ECD79FFE83ED65D26CAA96CC308C9092801408D14D5001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324017Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:34.346{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6DB0880379A40F4834B50C54E7B0EE,SHA256=264F5A7911903B8E0EDCF809D2867F50B74A36B1DFCB0985D3A10013F161BD51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370847Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:32.184{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58918-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370846Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:34.437{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E6F6D8C89D05C8585056850616E3404F,SHA256=DBC38ACFB0BC3C505CB6201D9464B2183F8B3BAA2496830CB9E59B25ADC73A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370849Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:35.781{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F8652DF28B279F60A549CBB963D69E,SHA256=2CE798C64E175F9DAF4B0D7FABB70498ACDB03342996B01B4F9C388D47482F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324018Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:35.346{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB6DDFE818C61787529DB2204828108,SHA256=2BBB2198C0AA38FD1564779C6E9F6295E3969E2FDFD386FBFA4F9834E5772AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370850Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:36.827{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD7A4BA70F8312A00A749EA3CD4E0DD,SHA256=284C549270C6D810FC0230C92B4292D1FB3A1EDB06AEDCAA0FA81AA83CBCA65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324019Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:36.346{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5300103D57104F389316BEF64A7E9A,SHA256=EAAB7E1649AC5675733561B83FE7B4191C63E3178E0494969E42F10B3A7CD9DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370851Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:37.843{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAE54CA82E1CAE219AF8FC2166E1ECB,SHA256=78227FCCB41DDA28E35009EEDF27E5C8D1EF4AE087B993C4B048B1981CAB1FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324020Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:37.346{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641EF6F195649CD74DD60F15147D76D6,SHA256=CEF9B8BACC7660017918110F30516DAE38E836AD1103827F1FF50D20D1231B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370852Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:38.859{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC05586E6AFC359369AC3B65B754D72,SHA256=303131AF4DCBF0159BAD82E7748AE157149A3368FD04A6F9229690FD0D159567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324022Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:38.346{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AADACECBD896C5FA0B06678E595B434,SHA256=566270F5A66875D9CD0F32BDE200BDEF528F8DCD2934719E8D0460EE8C858348,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324021Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:35.823{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50015-false10.0.1.12-8000- 23542300x8000000000000000370853Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:39.865{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A56AC467F6A853832FF2B2C0E28EC0,SHA256=3798EF89C1DE136852D946787BBDDE9D225B53A10B1552AE93D1E3EAB4B77487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324023Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:39.346{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF4239318F37DEAD52157EAFCD98F09,SHA256=93C5FEAEFCE367A6023C9567B9210C2CA379522EB207087591037730FF1ECD1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370855Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:40.865{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B85AF43FFB35700EF8678015D285333,SHA256=980F226C380DC4F90CAB1748FAB867622FDB91B0FF7D21BB831EA44D096EB9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324024Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:40.374{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AD44B6F6E36ED0F311CE7924A2E1E4,SHA256=BE0E20A593BF4A1784C16B7E8E66AC489E4F40CD59969A03425A92E562FFDB6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370854Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:38.122{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58919-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370856Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:41.865{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E19F7AE0E7759C1DD048138FB55273B,SHA256=2D4E4C93ED6D26070A6EC7BE901B664145918292D2F3EA6EB82440DBA6D7B995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324025Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:41.390{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C9B34045953B3721ABAB6A777768D7,SHA256=D9DE84077D56AA3D1518D61D8C6E8188433DA557864E907CE536EA57522BB927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370857Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:42.927{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E70918E176AF9741F1B9BDC25FC3122,SHA256=7FBB5AF6946F3A12B74046CDB3789AC5ECAF06BD406FECC216AE2EFFBF57B2D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324026Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:42.390{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFAED64469A78FE4DA5A42722A24CCE,SHA256=70ED17B53671B0FFD4B3233B6B90123235176D6E75BBE94AC40AC4F4E6AFCC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370858Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:43.927{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC31F5FAD4FD5AADDAEF50453CA7D8A,SHA256=E1C68BBFE4CDD311599A5DD00E9946069462A9EBB2903F033916343C209C4A42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324040Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6033-619F-3601-000000001002}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324039Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324038Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324037Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324036Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324035Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324034Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324033Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324032Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324031Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324030Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6033-619F-3601-000000001002}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324029Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6033-619F-3601-000000001002}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324028Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-6033-619F-3601-000000001002}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324027Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.390{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8773A791DDABCB673589407D73F35D72,SHA256=7C25FB46D11FF0B818D99F335A302BB5AB8D0AE7FE86333152718247DAE66071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370859Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:44.958{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C32718FBB04A1A03C2077D56BFAFF33,SHA256=CD00162DD204B6CECEC15FDCFCAF8750DC5187AAAF59B627DC4506582C04DA64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324058Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.843{99D2EDAA-6034-619F-3701-000000001002}37642676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000324057Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.734{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910D59D4D82B82FD40B34765154667EC,SHA256=15D0A37E633A309F6238EFEC7A47AECE6EC64FC438DC74BDA1AD5B7FC0255549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324056Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.734{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71917A0DE8AF78BF44544E1C47D62F73,SHA256=5A66D235F62C50CAF7FE6DF6031073236255CAF7AAF0A283A334054EAE2DB1D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324055Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6034-619F-3701-000000001002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324054Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324053Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324052Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324051Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324050Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324049Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324048Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324047Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324046Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324045Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-6034-619F-3701-000000001002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324044Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6034-619F-3701-000000001002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324043Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.657{99D2EDAA-6034-619F-3701-000000001002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324042Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.452{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1D52B1B2A5AFF5879E04A1508B5D9D,SHA256=FAACD86A07C2317E284BF42DCBEDAC8BD5E5821DD048DC289F297E5B0BECB216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324041Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:41.713{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50016-false10.0.1.12-8000- 23542300x8000000000000000370860Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:45.958{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B782214EB3E0992E7D02E25B4D29EE38,SHA256=F356099BBF018C6AABE4C7B39873B569D36A3FC5A0F0FD2E2EC488F612D168D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324072Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6035-619F-3801-000000001002}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324071Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324070Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324069Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324068Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324067Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324066Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324065Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324064Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324063Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324062Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-6035-619F-3801-000000001002}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324061Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6035-619F-3801-000000001002}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324060Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.892{99D2EDAA-6035-619F-3801-000000001002}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324059Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.468{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121A56D434EAE764AB9F9EA6B7ADA3AE,SHA256=0B93FE8C658458E81FB77FDA174BDB0FF1C2C09B8B98174011AAD6A60665B790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370862Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:46.958{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61083ABC90BFA519695241A872ECC32,SHA256=D404E2C80337CF12E2780895B1F7300AA8B3893FE818503B88B832E4F046CAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324074Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:46.890{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910D59D4D82B82FD40B34765154667EC,SHA256=15D0A37E633A309F6238EFEC7A47AECE6EC64FC438DC74BDA1AD5B7FC0255549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324073Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:46.468{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69DA04ACC0ED0E33F71F073FA2352F0,SHA256=4B4429E523F8F09591B2663E00E48559EDF966E2152FECAFFEE0CFEB786E5BA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370861Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:44.128{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58920-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370863Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:47.958{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F1E3C9B2B922D6D9F5596FC111EB85,SHA256=0155F86BCF049BD26855E8E72D44AA288B7449ABEFBA3C183E62D2F7ABE4E4D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324089Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.687{99D2EDAA-6037-619F-3901-000000001002}22923152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324088Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6037-619F-3901-000000001002}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324087Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324086Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324085Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324084Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324083Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324082Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324081Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324080Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324079Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324078Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-6037-619F-3901-000000001002}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324077Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6037-619F-3901-000000001002}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324076Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-6037-619F-3901-000000001002}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324075Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.468{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0530E9F380C801D5D4168CCE36B5498A,SHA256=B765965D52AF9C1E8DA3F763578954F90056C0B6684FDA64D2C9701E1BA7B099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370864Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:48.959{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADE5F289E1B55F2DFC69BAC71A2BACE,SHA256=404183BBA02950A12F95CC11133E8F90C8738A3D92EA9AEEAA01A858F122315E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324105Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.812{99D2EDAA-6038-619F-3A01-000000001002}39723596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324104Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6038-619F-3A01-000000001002}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324103Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324102Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324101Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324100Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324099Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324098Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324097Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324096Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324095Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324094Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6038-619F-3A01-000000001002}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324093Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6038-619F-3A01-000000001002}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324092Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-6038-619F-3A01-000000001002}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324091Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.515{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69A78B95730A653AC98082A5D475D9E,SHA256=12F864E0BC46E6AB7853AD87BFE32BCD99903D57377B0D4DAA361BD3F6360804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324090Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.484{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88907EF3578949F087EC06D315970FED,SHA256=65642800BF00261682C22CD69A9F7584C75B925E264E8350B546FF090DC8FA9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370865Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:49.959{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC169061678046021302C47A2F19908,SHA256=80A889553707DFB64CD01397B869C07486902A410CEFC41E1F266D5DEAA16C8A,IMPHASH=000000000